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Abstract. Context-bounded analysis has been shown to be both efficient and effective 
at finding bugs in concurrent programs. According to its original definition, context- 
bounded analysis explores all behaviors of a concurrent program up to some fixed number 
of context switches between threads. This definition is inadequate for programs that create 
threads dynamically because bounding the number of context switches in a computation 
also bounds the number of threads involved in the computation. In this paper, we propose 
a more general definition of context-bounded analysis useful for programs with dynamic 
thread creation. The idea is to bound the number of context switches for each thread 
instead of bounding the number of switches of all threads. We consider several variants 
based on this new definition, and we establish decidability and complexity results for the 
analysis induced by them. 



Introduction 

The verification of multithreaded programs is a challenging problem both from the theoreti- 
cal and the practical point of view. (We consider here programs with parallel threads which 
may use local variables as well as shared (global) variables.) Assuming that the variables 
of the program range over a finite domain (which can be obtained using some abstraction 
on the manipulated data), there are several aspects in multithreaded programs which make 
their analysis complex or even undecidable in general [RamOOj. 

Indeed, it is well known that for instance in the case where each thread can be modeled 
as a finite-state system, the state space of the program grows exponentially w.r.t. the 
number of threads, and the reachability problem is PSPACE-hard. Moreover, if threads are 
modeled as pushdown systems, which corresponds to allowing unbounded depth (recursive) 
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procedure calls in the program, then the reachability problem becomes undecidable as soon 
as two threads are considered. 

Context-bounding has been proposed in [QR05[ as a suitable technique for the analysis 
of multithreaded programs. The idea is to consider only the computations of the program 
that perform at most some fixed number of context switches between threads. (At each 
point only one thread is active and can modify the global variables, and a context-switch 
happens when the active thread terminates or is interrupted, and a pending one is ac- 
tivated.) The state space which must be explored may still be unbounded in presence of 
recursive procedure calls, but the context-bounded reachability problem is decidable even in 
this case. In fact, context-bounding provides a very useful tradeoff between computational 
complexity and verification coverage. This tradeoff is based on three important properties. 
First, context-bounded verification can be performed more efficiently than unbounded veri- 
fication. From the complexity-theoretic point of view, it can be seen that context-bounded 
reachability is an NP-complete problem (even in the case of pushdown threads). Second, 
many concurrency errors, such as data races and atomicity violations, are manifested in ex- 
ecutions with few context switches |MQ07| . Finally, verifying all executions of a concurrent 
program up to a context bound provides an intuitive and meaningful notion of coverage to 
the programmer. 

While the concept of context-bounding is adequate for multithreaded programs with 
a (fixed) finite number of threads, the question we consider in this paper is whether this 
concept is still adequate when dynamic creation of threads is considered. 

Dynamic thread creation is useful for modeling several important aspects, e.g., (1) 
unbounded number of concurrent executions of software modules such as file systems, device 
drivers, non-blocking data structures etc., or (2) creation of asynchronous activity such as 
forking a thread, queuing a closure to a threadpool with or without timers, callbacks, etc. 
Both these sources are very important for modeling operating system components; they are 
likely to become important even for application software as it becomes increasingly parallel 
in order to harness the power of multi-core architectures. 

We argue that the "classical" notion of context-bounding which has been used so far 
in the existing work is actually too restrictive in this case. Indeed, bounding the number 
of context switches in a computation also bounds the number of threads involved. In this 
paper, we propose a more general definition of context-bounded analysis useful for programs 
with dynamic thread creation. The idea is to bound the number of context switches for 
each thread instead of bounding the number of switches of all threads. We consider several 
variants based on this new definition, and we establish decidability and complexity results 
for the analysis induced by them. 

We introduce a notion of iT-bounded computations where each of the involved threads 
can be interrupted and resumed at most K times. In fact, we consider that when a thread 
is created, the number of context switches it can perform is the one of its ancestor (at the 
moment of the creation) minus 1. Notice that the number of context switches by all threads 
in a computation is not bounded since the number of threads involved is not bounded. 

In the case of finite-state threads, we prove that this problem is as hard as the coverabil- 
ity problem for vector addition systems with states (or, Petri nets) (which is EXPSPACE- 
complete). The reduction from our problem to the coverability problem of vector addition 
systems with states is based on the simple idea of counting the number of pending threads 
for different values of the global and local states, as well as of the number of switches that 
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these threads are allowed to perform. Conversely, we prove that the coverability prob- 
lem of vector addition systems with states can be reduced to the 2-bounded reachability 
problem. These results show that in the case of dynamic thread creation, considering the 
notion of context-bounding for each individual thread makes the complexity jumps from NP- 
completeness to EXPSPACE-completeness, even in the case of finite-state threads. Then, 
an interesting question is whether it is possible to have a notion of context-bounding with 
a lower complexity. We propose for that the notion of stratified context-bounding. The 
idea is to consider computations where the scheduling of the threads is ordered according 
to their number of allowed switches: First, threads of level K (the level means here the 
number of allowed switches) are scheduled generating threads of level K — 1, then threads 
of level K — 1 are scheduled, and so on. Again, notice that i^-stratified computations 
may have an unbounded number of context switches since it is possible to schedule an 
unbounded number of threads at each level. This concept generalizes obviously the "clas- 
sical" notion of context-bounding. We prove that, for finite-state threads, the X-stratified 
context-bounded reachability problem is NP-complete (i.e., it matches the complexity of 
the "classical" context-bounded reachability problem). The proof is by a reduction to the 
satisfiability problem of existential Presburger formulas. 

Then, we consider the case of dynamic creation of pushdown threads. We prove that, 
surprisingly, the -KT-bounded reachability problem is in fact decidable, and that the same 
holds also for the -ftT-stratified context-bounded reachability problem. To establish these 
results, we prove that these problems (for pushdown threads) can be reduced to their 
corresponding problems for finite-state threads. This reduction is not trivial. The main 
ideas behind the reduction are as follows: First, the JT-bounded behaviors of each single 
thread can be represented by a labeled pushdown system which (1) makes visible (as labels) 
on its transitions the created threads, and (2) guesses points of interruption-resumption and 
the corresponding values of the global states. (These guesses are also made visible on the 
transitions.) Then, the main problem is to "synchronize" these labeled pushdown systems 
so that their guesses can be validated. The key observation is that it is possible to abstract 
these systems without loss of preciseness by finite-state systems. This is due to the fact that 
we can consider that some of the generated threads can be lost (since they can be seen as 
threads that are never activated), and therefore we can reason about the downward closure 
of the languages of the labeled pushdown systems mentioned above (w.r.t. suitable sub- word 
relation). This downward closure is in fact always regular and effectively constructible. 



Related work. In the last few years, several implementations and algorithmic improve- 
ments have been proposed for context-bounded verification [BESS05l|MQ07llSESn8IILTKRr)81 
LR08, LMP09]. For instance, context-bounded verification has been implemented in explicit- 
state model checkers such as CHESS |MQ07| and SPIN [ZJ08] : it has also been implemented 



in symbolic model checkers such as SLAM |QW04| , jMoped |SES08| . and in |LR08] . In this 



paper, we propose more general definitions of context-bounded analysis useful for programs 
with dynamic thread creation. 

Several models based on rewriting systems or networks of pushdown systems have 
been considered to model multithreaded programs [LS981 lEPOOl ISSTXll lMo02l IBT031 IBT05] . 
While these models allow to model dynamic thread creation, they only allow communication 
between processes in a very restrictive way. 
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In [BMOT05], a model based on networks of pushdown systems called CDPN was 
proposed. While this model allows dynamic creation of processes, it allows only a restricted 
form of synchronization where a process has the right to read only the control states of its 
immediate children (i.e., the processes it has created). 

A symbolic algorithm for over-approximating reachability in Boolean programs with 
unboundedly many threads was given in ( 'KS()(i. CKS07] . Our approach complements 
these techniques since they are able to prove that a safety property of interest holds. While 
our work is useful for effectively detecting bad behaviors of the analyzed programs. 

A recent paper proposes an algorithm for the verification problem for parametrized 
concurrent programs with procedural calls under a k-round-robin schedule [LMP10J. Our 
work is more powerful than this framework as long as the data domain is bounded. 



In this section, we introduce some basic definitions and notations that will be used in the 
rest of the paper. 

1.1. Integers, functions, and vectors. 

Integers. Let Z be the set of integers and N be the set of positive integers (or natural 
numbers). For every i,j £ Z such that i < j, we use and [i,j[ to denote respectively 
the sets {k G Z | i < k < j} and {k G Z | i < k < j}. 

Functions. Let A and B be two sets. We denote by [A — > B] the set of all functions from A 
to B. If /, g are two functions from A to N, then we write g < / if and only if g(a) < f(a) 
for all a £ A. We use f + g (resp. / — g if g < /) to denote the function from A to N 
defined as follows: (/ + g)(a) = f(a) + g(a) (resp. (/ — g){a) = f(a) — g{a)) for all a G A. 
For every subset C C A, we use ld^ to denote the function from A to N defined as follows: 



In particular, ld^ denotes the function that maps any element of A to 0. 

Vectors. Let n be a natural number and A be a set. An n-dim vector v over A is an element 
of A n . For every % £ [l,n], we denote by v[i] G A the i th component of v. Given j £ [1,71] 
and a G A, we denote by v[j a] the n-dim vector v' over A such that v'[j] = a and 
v'[fe] = v[k] for all k € [1, n] and k ^ j. 

Vectors of integers. The order relation < between integers is generalized in a pointwise 
manner to vectors of integers. We write n to denote the n-dim vector v over Z such that 
v[i] = for all i G [1, n]. We trivially extend the addition and subtraction operations over 
integers to vectors of integers. 



1. Preliminary definitions and notations 




(1.1) 
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1.2. Words and languages. Given a finite set E called an alphabet and whose elements 
are called letters or symbols, a word u over E is either a finite sequence of letters in E or 
the empty word e. The length of u is denoted by \u\. (We assume that |e| = 0.) For every 
a G E, we use |it| Q to denote the number of occurrences of a in u. For every j G [1, |u|], we 
use u(j) to denote the letter of u. 

A language L over E is a (possibly infinite) set of words over E. We adopt the widespread 
notations E* and E + to represent respectively the languages containing all words and all 
non-empty words over E. We use also E e to denote the set E U {e}. 

We denote by E* x E* the subword relation defined as follows: For every u,v G S*, 
u ■< v if and only if: (1) u = e, or (2) there are ii,i 2 ■ ■ ■ , ii w i G [1, \v\] such that i\ < i 2 < 
• • • < i\ u \ and u(j) = v(ij) for all j G [1, Given a language L C E*, the downward 
closure of L is the language L 1= {u G E* j 3v G L, u ^ v}. 

Let be a subset of E. Given a word u G E*, we denote by u|e the projection of u over 
0, i.e., the word obtained from u by erasing all the symbols that are not in G. This definition 
is extended to languages as follows: If L is a language over E, then L\q = {u\@ \ u G L}. 

The Parikh image of a word u G E* is a function from E to N such that: For every 
a G E, Parikh(u)(a) = \u\ a . Accordingly, the Parikh image of a language L C E*, written 
Parikh(L), is the set of Parikh images of u 6 L. 

Let Ei and E2 be two alphabets. A homomorphism h is a function from E^ to E?j such 
that h(e) = e and h(uv) = h(u)h(v) for all u, v € E|. By definition, the homomorphism h is 
completely characterized by the function fh : Ei — > Ej s.t. for any a € Ei, fh{°) = /i(a)- 

1.3. Transition systems. A transition system is a triplet T = (C, E, — >) where: (1) C is 
a (possibly infinite) set of configurations (also called states), (2) S is a finite set of labels 
(or actions), and (3) — >Q C x E e x C is a transition relation. 

Given two configurations c, c' £ C and an action a € S, we write c -^7- d if (c, a, </) G— >. 
A finite run p of T from c to c' is a finite sequence CQa\C\a2 ■ ■ ■ a n c n , for some n > 1, such 
that: (1) Co = c and c n = c', and (2) q a ' +1 > 7~ Ci + \ for all i G [0, n[. In this case, we say 
that p has length n and is labelled by the word a\a2 ■ ■ ■ a n . 

Let u G E* be an input word. We write c ==^t c ' ^ one °f the following two cases holds: 

n 

(1) n = 0, c = c', and u = e, and (2) there is a run p of length n from c to c' labelled 
by u. We also write c==>S~c' to denote that c=^jd for some n > 0. Finally, for every 

n 

Ci, C 2 C C, we have Traces-j-(Ci,C2) = {u G E* | 3(ci, c 2 ) G Cj x C 2 , c\ =^>? r c 2 }. 

1.4. Finite state automata. A finite state automaton (FSA for short) is a quintuple 
A = (Q, E, A, /, F) where: (1) Q is the finite non-empty set of states, (2) E is the finite set 
of input symbols (called also the input alphabet), (3) A C [Q x E e x Q) is the transition 
relation, (4) / C Q is the set of initial states, and (5) F C Q is the set of final states. We 
use q -^a l' to denote that (q, a, q') is in A . 

The size of A, denoted by \ A\, is defined by (|Q| + |E|). We denote by T(A) = (Q, E, A) 
the transition system associated to A. The language accepted (or recognized) by A is defined 
as follows L{A) = Traces 77 ^) {I, F). 

It is well known that the class of languages accepted by finite state automata (the class 
of rational (or regular) languages) is effectively closed under union, intersection, homomor- 
phism, and projection operations |HU79| . 
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1.5. Pushdown automata. A pushdown automaton (PDA for short) is a 7-tuple V = 
(P,£,r, A,p ,7o,P) where: 

• P is the finite non-empty set of states, 

• £ is the finite set of input symbols (called also the input alphabet), 

• r is the finite set of stack symbols (called also the stack alphabet), 

• A C ((P x T) x S £ x (P x T^ 2 )) is the transition relation (where I"- 2 = T e U T 2 ). 

• po € P is the initial state, 

• 70 € r is the initial stack symbol, and 

• F C P is the set of final states. 

The size of V, denoted by \V\, is defined as (|P| + |S[ + |T|). We use (p, 7) -^-p{p',u) 
to denote that ((p, 7), a, (p',u)) is in A. 

A configuration of V is a pair (p, w) where p £ P and w € T* . The set of all config- 
urations of V is denoted by Conf{V). The transition system associated to V, denoted by 
T(P), is given by the tuple (Con/^P), £, — >■) where — > is the smallest transition relation 
such that: if (p, 7) -^-p{p' ,u), then (p,jw) -^t(V) (p',uw) for all w € T*. The language of 
V is defined as follows L(V) = Traces-j-^-p)({(po,'yo)}, F x F*). 

It is well known that the class of context-free languages (i.e., accepted by pushdown 
automata) are closed under concatenation, union, Kleene star, homomorphism, projection, 
and intersection with a rational language. However, context-free languages are not closed 
under complement and intersection |HU79| . 

Let us recall now that the downward closure of a context-free language, with respect 
to the subword relation, is effectively a rational language. 

Theorem 1.1 ( |Cou91| ). If V is a PDA, then, it is possible to construct, in time and space 
exponential in \V\, a finite state automaton A such that L(A) = L(V) J, and the size of \A\ 
is exponential in \V\ in the worst case. 

We can prove that the exponential blow-up in Theorem 11.11 can not be avoided. This 
is due to the fact that pushdown automata are more succinct than finite state automata. 
To show that, let us consider the following pushdown automaton V = ({po,Pi,P2}) {a}, 
{_L, 70, . . . , 7n}, A,pO) J-, {P2}) where n 6 N and A is the transition relation composed from 
the following transitions: 

(1) (Po,^) -^(pi^o-L), 

(2) for every i £ [0,n[, (pi,7i) -^(puli+Xli+l), 

(3) (Pl,7n) -^r(Pi,e), and 

(4) ( Pl ,±)^ v (p 2 ,e). 

It is easy to observe that L(V) = {a 2 } and therefore the minimal finite state automaton 
A recognizing L(V) ^ has at least 2 n states whereas the size of V is (n + 5). 

2. Dynamic network of concurrent pushdown systems 

In this section, we introduce dynamic network of concurrent pushdown systems. Intuitively, 
a dynamic network of concurrent pushdown systems Ad models dynamic multithreaded 
programs with (potentially) recursive procedure calls. Threads are modeled as pushdown 
processes which may spawn new threads (or processes). Each thread may have its local 
variables and has also access to global variables. The values of local variables are modeled 
using the stack alphabet T, whereas the values of the global variables are modeled using a 
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finite non-empty set of states Q. Transitions of the form (q, 7) — (q', u) > e correspond to 
standard transitions of pushdown systems (popping 7 and then pushing u while changing 
the state from q to q'). Transitions of the form (9,7) —*m{q!i u ) O l' correspond to standard 
transitions of pushdown systems with a creation of a thread whose initial stack content is 
7' <G T. Transitions of the form (q,j) W: u ) correspond to interrupt the execution of 

the active thread after the performing the standard pushdown operations, and transitions 
of the form q q' < 7 correspond to start/resume the execution of a pending thread 

with topmost stack symbol 7' G T after changing the state from q to q'. 

2.1. Syntax. 

Definition 2.1 (DCPS). A dynamic network of concurrent pushdown system (DCPS for 
short) is a tuple M. = (Q, T, A, qo, 70) where: 

• Q is the finite non-empty set of states, 

• T is a finite set of stack symbols (called also stack alphabet), 

• A = A cr U A in U A rs where: 

— A cr C ((Q x r) x (Q x T- 2 ) x r e ) is a finite set of (creation ) transitions. 

— Ai n Q ((Q x T) x (Q x T- 2 )) is a finite set of (interruption) transitions. 

— A rs C (Q x T x Q) is a finite set of (resumption) transitions. 

• go is the initial state, and 

• 70 is the initial stack symbol. 

In the rest of the paper, we adopt the following notations: (1) ((7,7) -^m(q\ u ) > ck to 
denote that ((g, 7), ((/, u), a) G A cr , (2) (5,7) *-*m (q', u ) to denote that ((q, 7), (q' , u)) G 
Aj n , and (3) q q' < 7 to denote that (g, 7, g') G A rs . The size of M is given by 

|M| = |Q| + |r|. 

When unbounded recursion is not considered, threads can be modeled as finite state 
processes instead of pushdown systems. This corresponds to the special case where, for all 
((<2S 7)1 (<?'> u),a) <G A cr and ((g, 7), (q',u)) G Aj n , the pushed word n is of length at most 1. 

Definition 2.2 (DCFS). A dynamic concurrent finite-state systems (DCFS for short) is a 
DCPS M = (Q,r,A,g ,7o) where, for all ((g, 7), (g', u), a) G A and ((g, 7), (g', it)) G A, 
we have \u\ < 1. 

2.2. Semantics. 

Definition 2.3 (Local configurations of a DCPS). Let M = (Q, T, A, q , j ) be a DCPS. 
A local configuration of a thread of M. is a pair (w, i) where w G T* is its call stack and 
i G N is its switch number. Let Loc(M.) denote the set of local configurations of M. 

Intuitively, the switch number of a thread is the number of interruptions/resumptions 
together with the switch number of its creator (at the moment of the creation) plus one. 

Definition 2.4 (Configurations of a DCPS). Let M = (Q, T, A, q Q , 7o ) be a DCPS. A 
configuration c of a M is an element of Q x (Loc(M) U {-L}) x [Loc(M) — v N]. We use 
Conf(M) to denote the set of all configurations of M.. 
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A configuration of the form (q,(w,i), Val) (resp. (g,X, Vol)) of M. means that: (1) 
q G Q is the value of the global store, (2) (w, i) is the local configuration of the active thread 
(resp. there is no active thread), and (3) Val : Loc{M) — > N is a function that associates 
for each (w',i') G Loc(M), the number of pending threads with local configuration (w',i'). 

Given a configuration c = (q,r), Val) G Conf(Ai), let State(c) = q, Active(c) = r), and 

Idle{c) = Val. We use c'J^ = (go, _!_, Id^j^jj) to denote the initial configuration of M.. 

Definition 2.5 (Transition system of a DCPS). Let M = (Q, T, A, q , 70) be a DCPS. The 
transition system associated with M. is given by T{M) = (Conf (M), S, — >) where £ = A 
and —> is the smallest relation such that: 

• if t = (q,j) -^m{q\ u ) l> a i then (g, (jw,i), Val) -^t(M)(q' > ( uw >i)i Val') for all w G T* , 
i G N, and Val, Val' G [Loc(M) ->■ N] such that: 

- If a G r, then Val' = Val + ld*£ . 

— If a = e, then VaZ' = VaZ. 

• if t = (9,7) i->.m (g',^), then (q,(jw,i), Val) -^ r(-M) (</, _L, VaZ + ld^ ( " c ^ 1)} ) for all 
10 G T*, i G N, and VaZ G [Loc(M) -»• N]. 

• if t = g ^ g' < 7, then (g, 1, VaZ + Id^jjjf) -V(M)(<z', (wi), VaZ) for all u; G T*, 
i G N, and VaZ G [£oc(.M) -> N]. 

where for every sets A and C such that C C A, ld^ denotes the function from A to N such 
that Id^ = 1 if a G C and ld^(o) = if a G (A \ C) (see Equation. HTjl . 

The transition (q, (~yw,i), Val) -^T{M)(<l' ' 1 ( nu M)> Val'), with t = (q,j) —>m(q'> u ) t> a > 
corresponds to the execution of pushdown operation (pop or push) with the possibility of a 
creation of a new thread (if a G T) which is added to the set of pending threads. The created 
thread gets the switch number i + 1. The transition (g, ("fw,i), Val) -^-fiM) Wi VaO> 
with t = (g,7) 1 {q', u )i corresponds to interrupt the execution of the current active 
thread after performing the pushdown operation: The local configuration (uw, i) of the 
active thread is added to the set of the idle threads after incrementing its switch number. 
The transition (g, _L, Val) -^T{M){ a ' ^ il w ^)^ Val'), with t = q *->m q' <1 7> corresponds to 
start/resume (from the state g') the execution of a pending thread with local configuration 



2.3. Bounded semantics. Let M = {Q,T, A, go,7o) be a DCPS. For every / C N, let 
Confj(Ai) denote the set of configurations of M. such that c G Confj(M) if and only if 
Active(c) G r* x /. In the following, we restrict the behavior of T(A4) to the set of runs 
where the switch numbers of the active threads are always in /. 

Definition 2.6 (Bounded transition system of a DCPS). For every I C N, 7~i(A4) denotes 
the transition system (Conf(A4), A, — >j) where: For every c,d G Conf(M.), c— ^n^n d if 
and only if: (1) c-hj-{M) c '> an d (2) c G Confj(M) or d G Confj(M). 



9 



2.4. Reachability problems. Let At = (Q, F, A, go, 7o) be a DCPS. We consider the 
following three notions of reachability: 

Definition 2.7 (The state reachability problem). A state q G Q is reachable by Ai if and 
only if there are c G Conf(Ai) and r G A* such that c'j^ =^7-^) c, ^4ctu>e(c) = _L, and 
State(c) = q. The state reachability (SR for short) problem for Ai consists in deciding, for 
a given set F C. Q, whether there is a state q G F such that q is reachable by Ai. 

Notice that we consider, in the definition of the state reachability problem, that the set 
of reachable configurations that we are interested in are those with no active thread. This 
is only for the sake of simplicity and does not constitute at all a restriction. Indeed, we 
can show that the problem of checking whether there are c G Conf(Ai) and r G A* such 
that c'j§ ==^7-(_A/j) c an d State(c) G F can be reduced to the state reachability problem for a 
DCPS Ai' = (Q, T, A', q , 70) built up from Ai by adding to A some transition rules that 
interrupt the execution of the active thread when the current state is in F. 

Definition 2.8 (The ^-bounded state reachability problem). Let k G N. A state q E Q 
is fc-bounded reachable by Ai if and only if there are c G Conf(Ai) and r G A* such 
that Cy^ = ^~T ok (M) c ' Active(c) = _L, and State{c) = q. The fc-bounded state reachability 
(BSR[fc] for short) problem for Ai consists in deciding, for a given set F C Q, whether there 
is a state q G F such that q is Ai-bounded reachable by A4. 

Observe that, in BSR[A:] problem, a bound k + 1 is imposed on the number of switches 
(interruptions/resumptions) performed by each thread (together with the switch number of 
its ancestor (at the moment of its creation) plus one). However, due to dynamic creation 
of threads, bounding the number of switches of each thread does not bound the number 
of switches in the whole computation of the system (since an arbitrary large number of 
threads can be involved in these computations). 

Definition 2.9 (The /c-stratified state reachability problem). Let k G N. A state q G Q is 
A;-stratified reachable by Ai if and only if there are tq,ti, . . . , G A*, and ci, . . . , c^+i G 
Conf(M) such that State{ck+\) = q, Active(ck+i) = JL, and we have: 

init r 0, * Tl± * T k— 1 a Tfc * 

C M =^T {0} (M) c i ^T {1} (M) ■ ■ ■ ^^T {fc _ 1} (M) °k =^T {k} (M) c ^+l 

The fe-stratified state reachability (SSR[A:] for short) problem for Ai consists in deciding, 

for a given F C Q, whether there is a state q G F s.t. q is fc-stratified reachable by Ai. 

In the SSR[fc] problem, a special kind of fc-bounded computations (called stratified 
computations) are considered: In such a computation, threads are scheduled according to 
their increasing switch number (from to A;): First, threads with switch number are 
scheduled generating threads with switch number 1, then threads with switch number 1 are 
scheduled generating threads with switch number 2, and so on. 

Observe that even in the case of stratified computations, an arbitrarily large number of 
context switches may occur along a computation due to dynamic creation of threads. Very 
particular stratified computations are those where the whole number of context switches is 
bounded |QR05| . 
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3. The SR problem and the BSR[A;] problem for DCFSs 

In the following, we show that the SR problem and the BSR[/c] problem for dynamic net- 
works of concurrent finite-state systems are as hard as the coverability problem for vector 
addition systems with states (which is EXPSPACE-complete). 

Theorem 3.1. The SR problem and the BSR[k] problem, with k > 2, for DCFSs are 
EXPSPACE-complete. 

Next, we recall some basic definitions and notations about vector addition systems 
with states (or equivalently, Petri nets). Then, this proof of Theorem 13.11 is structured as 
follows: First, we show that the BSR[fc] problem for DCFSs is polynomially reducible to 
the SR problem for DCFSs (Proposition 13. 4p . Then, we show that the SR problem for 
DCFSs is polynomially reducible to the coverability problem for VASSs (Proposition 13. 6j ) . 
Finally, we prove that the coverability problem for VASSs is polynomially reducible to the 
BSR[2] problem for DCFSs (Proposition \3.8\i . As an immediate consequence of these results 
and Theorem 13.21 we obtain that the SR problem and the BSR[fc] problem for DCFSs are 
EXPSPACE-complete. 

3.1. Vector addition systems with states. A vector addition system with states (VASS 
for short) is a tuple V = (n, Q, £, 5, go, uo) where: 

• n G N is the dimension, 

• Q is the finite non-empty set of states, 

• £ is the finite set of actions (or labels), 

• 5 : Q x T, ^ Q x ([—1, l]) n is the displacement function, 

• qo € Q is the initial state, and 

• uo is the initial n-dim vector over N such that < uq(i) < 1 for all i G [l,n]. 

The size of V, denoted by |V|, is defined as (n + \Q\ + |S|). A configuration of V is a 
pair (q,u) where q £ Q and u G N n . Given a configuration c = (g, u), we let State (c) = q 
and Val(c) = u. The set of all configurations of V is denoted by Conf(V). 

The transition system associated to V, denoted by T(V), is given by (Conf(V), £, — >), 
where —> is the smallest transition relation satisfying the following condition: For every 
qi,q 2 G Q and ui,u 2 G N n , (<?i,ui) A^jfe, u 2 ) if and only if <5((gi,a)) = (g 2 ,u 2 - ui). 

A state q G Q is reachable by V if and only if there are w G X* and c G ConfiV) 
such that (go> uo) =>?™n c and State(c) = q. The coverability problem for V consists in 
deciding, for a given set F C Q, whether there is q G F such that q is reachable by V. 

Theorem 3.2 (|Lip76| fRac78| ). The coverability problem for vector addition systems with 
states is EXPSPACE-complete. 

3.2. From the BSR[fc] problem for DCFSs to the SR problem for DCFSs. In the 

following, we show that, for every k G N, the BSR[fc] for DCFSs is polynomially reducible to 
the SR problem for DCFSs. Intuitively, given a DCFS M. = (Q, T, A, go, 70) and a natural 
number k, we construct a DCFS M' that records for each thread its switch number and 
can execute only threads with recorded switch number less than k. Formally, the DCFS 
M! = (Q',r',A',g ,7 ) is defined as follows: 

• Q' = Q is a finite set of states, 
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• r' = T e x [0, k + 1] is a finite set of stack symbols. A stack symbol (a, i) corresponds to 
a thread with stack content a and switch number i. 

• A' is the smallest transition relation satisfying the following conditions: 

— For every i G [0, k] and (q, 7) ->m (q\ u) t> e, then (q, (7, i)) -> M > (q', (u, i)) t> e. 

— For every £ € [0, k] and ((7,7) —>m{q' \ u ) t> a for some stack symbol a G T, then 

(?) (7, 0) (?'> («> *)) > (a, « + 1). 

— For every i G [0, A;] and ((7,7) h+jw (q',u), then (9,(7,*)) ^a^' (<?', (u, i + 1)). 

— For every i G [0, fc] and q *->m 0.' <1 7> then g i-^' <?' <1 (7; 0- 

• Qo = Qo is the initial state, and 

• 7g = (70,0) is the initial stack symbol. 

Observe that the size of the DCFS A4' is polynomial in the size of A4. Moreover, the 
relation between A4 and M 1 is given by the following lemma: 

Lemma 3.3. Let q G Q. q is k-bounded reachable by M. iff q is reachable by M' . 

The proof of Lemma 13.31 is done by induction on the length of the runs and is given in 
Appendix [Al 

As an immediate consequence of Lemma 13.31 we obtain the following result: 

Proposition 3.4. Let k > 1. The BSR[k] problem for DCFSs is polynomially reducible to 
the SR problem for DCFSs. 

3.3. From the SR problem for DCFSs to the coverability problem for VASSs. 

In the following, we show that the SR problem for DCFSs is polynomially reducible to 
the coverability problem for VASSs. For a given DCFS M. = (Q,T, A, </0)7o)) with T = 
{70,..., 7 n }, we can construct a VASS V = (m, P, S, 6,po, uq) which has the following 
structure: 

• m = n + 2 is the dimension of V. It is easy to observe that the dimension of V is equal 
to |r e | which is the number of all possible stack contents of threads of M. 

• P = (Q x (r e U {-L})) U {phait} is the set of states of V (with phait ^ Q)- A state of the 
form (q, w) G Q xT e (resp. (q, _L)) of V means that the state of A4 is q and that the stack 
content of the active thread is w (resp. there is no active thread). The state p^alt is used 
in order to interrupt the simulation of A4 by V. 

• S = A is the input alphabet of V. 

• 5 : P x T, — > P x ([—1, l]) m is the transition function of V defined as follows: For every 
p G P and t G S, we have: 

— 5(p,t) = (p',0 m ) if there are q,q' G Q, 7 G T, and u G T e such that t = (q, 7}— >m 
(q',u) > e, p = (5,7), and p' = (q',u). This corresponds to the simulation of a 
transition rule of A4 without thread creation. 

— 5(p,t) = (p',O rn [i 1]) if i G [l,m[ and there are q, q 1 G Q, 7 G T, and n G r e such 
that t = (9,7) — >x (</, u) [> 7i_i, p = (9,7), and p' = (q',u). This corresponds to the 
simulation of a transition rule of A4 with thread creation. 

— 5(p,t) = (p',O m [j 1]) if j G [l,m], and there are q, q' G Q, 7 G T, and it G r e such 
that t = (5,7) (q',u), p = (q,j), p' = (?',L), u = e if j = m, and u = 7,--! 
if j < m. This corresponds to the interruption of the execution of the current active 
thread. 
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— 6{p,t) = (p',O m [i -(-^ —1]) if i G and there are q, q' G Q, such that t = q *->m 
q' < 7i_i, p = (<7, X), and = (g',7j_i). This corresponds to the execution of a 
pending thread with topmost stack symbol 7i-i- 

— 5(p,t) = (phaitiO m ) otherwise. This indicates the end of the simulation of A4 by V 
whenever the transition i can not be applied from the state p. 

• uq = (1, 0, . . . , 0). This corresponds to the initial pending thread of M. (i.e., initially M. 
has one pending thread with local configuration (70,0)). 

• Po = (qo, -L) is the initial state of V. This corresponds to the initial state qo of M.. 

Observe that the size of V is polynomial in the size of M.. Moreover, the relation 
between M. and V is given by the following lemma: 

Lemma 3.5. Let q G Q. q is reachable by Ad if and only if (q, _L) is reachable by V. 

The proof of Lemma 13.51 is done by induction on the length of the runs and is given in 
Appendix [Bj 

As an immediate consequence of Lemma 13.51 we obtain the following result: 

Proposition 3.6. The SR problem for DCFSs is polynomially reducible to the coverability 
problem for VASSs. 

3.4. From the coverability problem for VASSs to the BSR[2] problem for DCFSs. 

In the following, we prove that the coverability problem for VASSs is polynomially reducible 
to the BSR[2] for DCFSs. Given a VASS V = (n, Q, S, 5, q Q , u ), we construct a DCFS M 
such that the coverability problem for V is reducible to the BSR[2] problem for A4. We 
assume w.l.o.g that for every q € Q and a G S, 5(q, a) G Q x {u G N n | Y17=l a bs(u[i]) < 1} 
and uo = n . Intuitively, KA has, for each i G a stack symbol 7« such that the 

number of pending threads with local configuration (7^, 2) denotes the current value of the 
i-th counter of V. The system A4 has also a special stack symbol j' such that the pending 
threads with local configuration (7q, 1) are used to create threads with local configuration 
(7,, 2) where i G [l,n] (which corresponds to the increment of the value of a counter of 
V). We now sketch the behavior of A4. First, A4 creates an arbitrary number of threads 
with local configuration (7q, 1) from the initial configuration. Then, the simulation of a 
rule S(q,a) = (q',u) depends on the value of the vector u: (1) If u = n , then M. moves 
its state from q to q', (2) If u = n [i ^ 1] for some i G [l,n], then M. uses a thread with 
local configuration (7q, 1) to create a thread with local configuration (7«,2) while moving 
its state from q to q' , and (3) If u = n [i — 1] for some i € [1, n], then A4 transforms the 
local configuration of a pending thread from (7^, 2) to (e, 3). Formally A4 = (P, T, A,po, 70) 
is built from V as follows: 

• P = {po} U Q is the set of states such that po ^ Q- Po is the initial state. A state q G Q 
represents the current state of V. 

• T = {70,71, • • • ,7n} U {7 } is the finite set of stack symbols. The symbol 70 represents 
the initial stack symbol. The symbol 7 represents the stack content of auxiliary threads 
that are "consumed" in order to simulate an operation of V. For every i G [l,n], the 
number of pending threads with stack content ji denotes the current value of the i-th 
counter of V. 

• A is the smallest transition relation satisfying the following conditions: 
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~~ (pO)7o) - >m(po,Jo) > 7o an( i {Po, 7o) (<7o>e). These transitions create an arbitrary- 
number of threads with local configuration (7A, 1) before moving the state from po to 

<?o- 

— For every q £ Q, we have that q 1— Q < To- This transition corresponds to start the 
execution of a pending thread with stack content 7 to simulate an operation of V that 
increments the value of a counter. 

— For every q € Q, we have that (<7,7 ) (OS 6 )- This transition corresponds to the 
interruption of the execution of the current active thread with stack content 7 in order 
to permit the simulation by M of an operation of V that decrements a counter. 

— For every q,q' G Q and a E E, if 5(q,a) = (q',0 n ), then (9, 7 ) — >m(q\ To) e - This 
transition simulates an operation of V that moves the state from q to g'. 

— For every q,q' € Q, a G S, and each i € [l,n], if 6(q,a) = (q',Q n [i 1]), then 
(9) To) ~^mW ,l'o) l> Ti- This transition simulates an operation that increments the 
i-th counter of V. Notice that the switch number of the created thread with stack 
content ji is 2 since the switch number of the active thread (with stack content j' ) is 
always equal to 1. 

— For every q,q' € Q, a E S, and i € [l,n], if 5(q,a) = (q',0 n [i —1]), then g 4 <1 
7i, and {q',^i) Wi e )- These transitions simulate an operation that decrements 
the value of the i-th counter of V. 

Observe that the size of Ai is polynomial in the size of V. Moreover, the relation between 
V and M is given by the following lemma: 

Lemma 3.7. Let q G Q. q is reachable by V if and only if q is 2-bounded reachable by M.. 

The proof of Lemma 13.71 is done by induction on the length of the runs and is given in 
Appendix O 

As an immediate consequence of Lemma 13.71 we obtain the following result: 

Proposition 3.8. The coverability problem for VASSs is polynomially reducible to the 
BSR[2] for DCFSs. 

4. The SSR[A:] problem for DCFSs 

In this section, we consider the problem SSR[/c] for k £ N. We show that the problem SSR[/c] 
for DCFSs is NP-complete. But before going into the details, let us recall the definition of 
the existential Presburger arithmetic and some related results. 

4.1. Existential Presburger arithmetic. Let V be a set of variables. We use x,y, . . . to 

range over variables in V. The set of terms of the Presburger arithmetic is defined by: 

t ::= 0\l\x\t + t 
Then, the class of existential formulae is defined as follows: 

(p ::= t < 1 1 (p V (p I (p A ip I 3x. <p 
The length of a Presburger formula (p, denoted by \<p\, is the number of letters used 
in writing ip. The notion of free variables for an existential Presburger formula is defined 
as usual. We write FV(ip) C V to denote that the formula ip has FV(ip) as a set of 
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free variables. The semantics of existential Presburger formulae is defined in the standard 
way. Given a function / from var{p) to N, we write / |= <p if tp holds for / (in the 
obvious sense) and, in this case, we say that / satisfies p. We use {pj to denote the set 
{/ G [FV(<p) — N] | / [= tp}. 

An existential Presburger formula <p is satisfiable if and only if [</?] ^ 0. The satisfiability 
problem for ip consists in checking whether (p is satisfiable. It is well-known that the 
satisfiability problem for existential Presburger formulae is NP-complete [VSS05J. 

Theorem 4.1. The satisfiability problem for existential Presburger formulae is NP-complete. 

We recall that the Parikh image of a context-free language is definable by an existential 
Presburger formula. 

Theorem 4.2 ([SSMH04 ). If V is a PDA with input alphabet T,, then, it is possible to 
construct, in time and space polynomial in \V\, an existential Presburger formula ip with 
free variables T, such that [99] = Parikh(L(V)). 

4.2. The SSR[A;] problem for DCFSs is NP-complete. In this section, we mainly 
prove the following result: 

Theorem 4.3. For every k € N, the problem SSR[k] for DCFSs is NP-complete. 

The NP-hardness is proved by a reduction from the coverability problem of acyclic Petri 
nets |Ste95| to SSR[/c]. This is done by a simple adaptation of the construction given in 
Section 13.41 The upper-bound is obtained by a reduction to the satisfiability problem for 
existential Presburger formulae. 

Let Ad = (Q, r, A, qo, 70) be a DCFS, A; be a natural number, and F C Q be a set of 
target states. To reduce the fc-stratified state reachability problem for A4 to the satisfiability 
problem of an existential formula tp, we proceed in two steps: First, we construct a bounded 
stack pushdown automaton V that simulates the /c-stratified computations of A4 without 
taking into account the causality constraints. (The use of a pushdown automaton here is for 
technical convenience. In principle, V can be encoded as a finite state automaton, but this 
will make the construction cumbersome.) In fact, V assumes that there is an unbounded 
number of pending threads for any local configurations in T e x [0, k\. Intuitively V performs 
the same pushdown operations as the ones specified by A while making visible as transition 
labels: (1) (7, i, o) if the local configuration of the created (or the interrupted) thread is 
(7, i), (2) (7, i, <\) if the local configuration of the pending thread that has been activated 
is (7,?), and (3) (e,i, — ) if there no thread creation and the switch number of the current 
active thread is i. 

Then, we show that there is a /c-stratified computation of A4 if and only if there is a 
computation 7r of V that satisfies the following two conditions: 

• The stratified condition: Threads in ir are scheduled according to their increasing switch 
number (from to k). 

• The flow condition: For every stack content 7 £ T and switch number i £ [0,k], the 
number of occurrences of (7,2,0) in ir is greater than the number of occurrences of 
(7, i, <]) in 7r (i.e., the number of created (or interrupted) threads with local configuration 
(7, i) is greater than the number of threads with local configuration (7, i) that has been 
activated). 
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Since the set of traces that satisfies the stratified condition is a regular one, we can 
construct a pushdown automaton V' (of bounded stack depth) that recognizes the set 
of traces of V that satisfies the first condition. Therefore, we can use Theorem 14.21 to 
construct an existential Presburger formula ip' that characterizes the Parikh image of the 
set of traces of V . On the other hand, the flow condition can be expressed as an existential 
Presburger formula ip" over the set of variables {(7, i, >) | 7 G T,i G [0, k]} and {(7, i, <) | 7 G 
T,i G [0, k]}. Armed with these results, we can show that the /c-stratified state reachability 
problem for Ai is reducible to the satisfiability problem of the existential formula <p = (p'Aip". 

Let us give more details about the constructions described above. 

Prom the DCFS Ai to the pushdown automaton V: The pushdown automaton 
V = (P, E, Y-p, A-p, po, 7p, Fp) is built up from Ai as follows: 

• P = Q is the finite set of states. A state q represents the global state of Ai. 

• E = Ui=o ^* i s the finite set of input symbols where Ej = E? r U E ■ U E' with E? r = 
r £ x {i + 1} x {d>}, SJ = Tx {i} x {<}, and E^ = {(e,i, -)} for all i G [0,/c]. A transition 
labeled with (a,i,[>) corresponds to a rule of A4 that: (1) creates a thread with local 
configuration (a, i), or (2) interrupts the execution of the active thread with stack content 
is a. A transition labeled with (a, i, <]) corresponds to a rule of Ai that activates a pending 
thread with local configuration (a,i). A transition labeled with (e, i, — ) corresponds to 
a rule of A4 without thread creation and where the switch number of the current active 
thread is i. 

• T-p = (r e x [0, k]) U {_L} is the finite set of stack symbols. Each symbol in T-p corresponds 
to the local configuration of the active thread of Ai. 

• A-p is the smallest transition relation satisfying the following conditions: 

— For every i G [0, k] and (9,7) — >m{q\ u ) 1> e : (lii)) > V i ( l'A u -,'i)}- This tran- 
sition corresponds to the simulation of a transition of Ai without thread creation. 

— For every i G [0, k] and (q, 7} — >mW ■• u ) I> a with a G T, (g, (7, i)) +1 > p 
{q' , (u,i)}. This corresponds to the simulation of a transition of Ai with thread cre- 
ation. 

— For every i G [0, k] and ((7,7} (q',u), (q, (7,?)) +1 > p (g',_L). This corre- 
sponds to the interruption of the execution of the active thread of A4. 

— For every i G [0, A;] and g *-*m q' <1 7; (o 1 ) ^) ) p (g', (7, i)}. This corresponds to 
the activation of a pending thread of A4 with local configuration (7, i). 

• Po = Qo is the initial state. 

• 7p = _L is the initial stack symbol. 

• Fp = F is the set of final states. 

Observe that the size of the pushdown automaton V is polynomial in the size of the DCFS 
Ai. Moreover, the depth of the stack of V is always bounded by one. 

The relation between the DCFS Ai and the pushdown automaton V is established by 
Lemma 14.41 which states that there is a state q G F such that q is fc-stratified reachable by 
Ai if and only if there is a computation ir of V that satisfies the stratified condition and 
the flow condition. 

Lemma 4.4. A state q G F is k-stratified reachable by Ai if and only if there is crj G E* 
for all i G [0, k] such that: 

• a af-a k G Traces T (p)({(q , _L)}, F x {_L}) ; and 
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• \ a i\{~i,i,<i) — l< 7 «-i|(7,j,>) f or a// 7 € T and i G [0,k] where <j-\ = (70,0, >). 

The proof of Lemma 14.41 is done by induction and is given in the Appendix [Dl 

From the PDA V to the existential Presburger formula ip: In the following, we 
show that the problem of checking whether there is Oi G E* for all % G [0, k] such that 
a cri ■ ■ ■ a k G Traces T ( V )({(q , ±)},F x {_L}) and |o-i|( 7 ,i,<) < |( 7 ,i,t>) for all 7 G T 

and i G [0,/c] with a-\ = (70,0,0) is polynomially reducible to the satisfiability problem 
of an existential Presburger formula ip. This implies that the SSR[fc] problem for A4 is 
polynomially reducible to the satisfiability problem for ip (see Lemma l4.4p . 

Lemma 4.5. It is possible to construct an existential Presburger formula ip with [93] ^ $ if 
and only if there is <7j G E* for all i G [0, k] such that <7o<7i ■ • • <7& G Thices-7-(-p)({(goj -L)}> i 7 X 
{_L}) and |^i|( 7 1 <) < |°'i-l|( 7 ,i ) >) / or a// 7 G T and i G [0, fc] with <r_i = (70, 0, >). 

Proof. Let T 7 ' be the pushdown automaton such that L{V') = Traces t{v) ({(Qo > -L)}, -F x 
{_L}) fl (Sq • EJ • • • Sp. Such pushdown automaton "P' is effectively constructible from V 
since the class of pushdown automata is closed under intersection with a regular language. 

Now, we can use Theorem l4.2l to construct a Presburger formula <p' with free variables S 
such that {ip} = Parikh(L(V')). In addition, for every i G [1, fc], we construct an existential 
Presburger formula <£>j with free variables S such that tpi = A 7 er ((7i*' <i ) — (7) h^>)) ■ 
Let <p = ( A 7e r\{ 70 } ((7,0, <) < 0)) A ((70, 0, <) < l) and ip" = Ato^- 

Then, it is not hard to see that the existential Presburger formula ip = <p' A ip" is 
satisfiable if and only if for every i G [0, k], there are there are Oi G E* for all i G [0, k] such 
that (7o<7i •••cr fc G Traces r( p)({(o , -L)}, F x {_L}) and |(Ti|( Tiii< ) < |cri_i|( 7)i)> ) for all 7 G T 
and i G [0, fc] with <r_i = (70, 0, >). □ 

As an immediate consequence of Theorem 14.11 and Lemma 14.5^ we obtain the following 
result: 

Lemma 4.6. For every k G N, the problem SSR{k] for DCFSs is in NP. 
5. Reachability analysis for dynamic networks of concurrent pushdown 

SYSTEMS 

In this section, we consider the case of DCPSs. It is well-known that the SR problem 
is undecidable already for networks with two concurrent pushdown processes. We show 
however that both problems BSR[/c] and SSR[fc] are decidable, for any given bound k G N. 
For that, we prove the following fact. 

Theorem 5.1. For every fcsN, the problems BSR[k] and the SSR[k] for DCPS are expo- 
nentially reducible to the corresponding problems for DCFS. 

A corollary of Theorem 13.11 Theorem 14. 3\ and Theorem 15. 1\ we obtain the following 
results: 



Corollary 5.2. For every k G N, the BSR[k] problem for DCPSs is in 2-EXPSPACE, and 
the SSR[k] problem for DCPSs is in NEXPTIME. 
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The rest of this section is devoted to the proof of Theorem 15. 1[ Let us fix a DCPS 
A4 = (Q, r, A, go, 70). We show that it is possible to construct a DCFS M.f s such that the 
problems BSR[fc] and SSR[/c] for M can be reduced to their corresponding problems for A4f s . 
Let us present the main steps of this construction. For that, let us consider the problem 
BSR[/c], for some fixed fc£N. Then, let us concentrate on the computations of one thread, 
and assume that this thread will be interrupted i times (with i < k + 1) during its execution 
starting from some initial global state q and initial local state 7. The computations of 
such a thread correspond to runs of a pushdown automaton, built out of Ai, which (1) 
performs the same operations on the stack and the global state as the ones specified by A, 

(2) makes visible as transition labels the local state (element of T) of spawned threads, and 

(3) nondeterministically guesses jumps from a global state to another one corresponding 
to the effect of context switches. These jumps are also made visible as transition labels 
under the form of (q, a, q') G (Q xT e x Q) (meaning that the computation of the thread is 
interrupted at the state q with stack content aw for some w G T*, and is resumed at the 
state q'). In fact, if a thread fires a transition labeled by a symbol of the form (q, e, q') then 
its execution will be definitely interrupted (i.e., the execution of this thread will never be 
resumed again). The number of such jumps in each run is precisely i. 

Then, the problem is to handle the composition of all the computations of the generated 
threads and to make sure that the guesses made by each one of them (on their control state 
jumps due to context switches) are correct. In fact, handling this composition is very a 
hard task in general when threads are modeled as pushdown automata. To overcome this 
difficulty, the key observation is that it is possible to assume without loss of preciseness 
that some of the generated threads can be ignored (or lost). Indeed, these threads can 
always be considered as threads which will never be scheduled. Therefore, the behaviors of 
each thread can be modeled using a finite-state automaton which recognizes the downward 
closure of the language of the pushdown automaton of a thread with respect to the subword 
relation. We know by Theorem 11.11 that this automaton is effectively constructible. So, let 
^4(q, 7 ) be the automaton modeling the computations of threads starting from the state q 
and initial stack content 7, and performing at most k + 1 interruptions. We assume w.l.o.g 
that -4(g i7 ) has no e-transitions. 

The next step is to synchronize the so-defined finite-state automata in order to represent 
valid computations of the whole system. For that, we define a DCFS A4f s which simulates 
the composition of these automata as follows: 

• A pending thread with stack content 7 which has never been activated can be dispatched 
by Mf s at the moment of a context switch. For that, A4f s has a rule (g, 7} — > Ai fs ((J, so) > e 
where so is the initial state of *4(q, 7 ), for every possible starting q and every stack symbol 
7 6 T. This rule allows to check that the control state is q, and to move the system to a 
special state fl corresponding to the simulation of a phase without context switches. 

• During the simulation, when a transition s ~-^A( q ) s '> with 7 G T, is encountered, a new 
thread is spawned by A4f s with initial stack content 7. This is done using a rule of the 
form ((J, s) — >Mfs% s> ) t> 7- The new thread will stay pending until 7Wf s can dispatch it. 

• Encountering a transition s ^ 1 '"'' ?2 ' ) > ^ , s' means that the computation of the simulated 
thread is interrupted at the global store q\ with stack content aw for some w G T* , and 
will be resumed later when the global state will become q2 (due to the execution of some 
other threads). Then, M.f s moves from its global state fl to the global state q± so that the 
control can be taken by another pending thread), and transforms the stack configuration 
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of the current thread (which may be interrupted) to (92, (s',a)). This is done by a rule 
of the form (jj, s) ^ Mfs (91, (92, (s',a))}. 

• To simulate a transition 9 *—>m l' <1 7 that starts/resumes the execution of a pending 
thread with topmost stack symbol 7 £ T, 7Wf s has the rules q *->Mu l' <1 7 an d 9 ^.Mfc 
9' < (9', (s,7))- In this case, we observe that the only action that can be done by Mf s 
after executing these rules is to activate some pending thread with topmost stack symbol 
7' (either dispatched for the first time, or resumed after some interruption). 

We have seen above how Mf s dispatches pending threads for the first time. The resump- 
tion of threads at state q' is done by having rules of the form (q', (q f , (5,7))) — >M k (tt> s ) l> e - 
Such a rule means that if a pending thread (q', (5,7)) exists, then it can be activated and 
the simulation of its behaviors is resumed from the state s (at which it was stopped at 
the last interruption). 

Let us give in more details the construction described above. 

5.1. Simulation of threads of M. with finite-state automata. Next, we give the 
construction of the finite state automaton «A(g )7 ) for some given q £ Q and 7 € T. For 
that, we start by considering a pushdown automaton V( qn ) simulating the behaviors of a 
thread that starts its execution from the global state q and the initial stack configuration 7 
after some number of jumps in the global state (representing guesses on the effect of context 
switches). The spawned thread as well as the guesses on the global state jumps made during 
the computation are made visible as transition labels. 

Then, let V< q ^\ = (P, S, T, A-p, q, 7, Q) be the pushdown automaton where: 

• P = Q U (Q x T) is the finite set of states, 

• £ = T U S sw U Si nr is the finite set of input symbols with S sw = Q x T x Q and Xj nr = 
Q x {e} x Q, 

• A-p is the smallest transition relation such that: 

- For every (qi, 71) — >m{Q2, u) t> a, (q±, 71) -^Vi q 7) {Q2, u). This rule simulates a push- 
down operation on the active thread with the possibility of a thread creation. 

- For every (91,71) ^ M (Q2,u) and q' 2 £ Q, (<?i,7i) (<?2,£ ' g2) ) V{qj) {q' 2 ,u}. This rule 
corresponds to interrupt the execution of the active thread at the state q 2 . In addition, 
the execution of this thread will never be resumed again. 

- For every (91,71) ^ M (?2,«), <? 2 G Q, and V G T, (91,71) (<?2 ' 7 ,92 ' ] ) V{qn) {{<h,i),u) 
and ((q' 2 , j'), 7') ~^"P( q 7) (92 > 7')- This rule simulates the interruption of the execution 
of the active thread at the state 92. In addition, the execution of this thread will be 
resumed at the state q' 2 with topmost stack symbol 7'. 

Then, the set of behaviors represented by this pushdown automaton which correspond to 
precisely i > 1 context switches (or interruptions) is given by the following language: 

L {(^),i) = L (^,7)) n ((r* • • s inr )) 

The set L'^ q ^ ^ is a context-free language in general (since it is the intersection of 
a context-free language with a regular one). Due to the fact that some of the generated 
threads can be ignored (or lost), we can consider without loss of preciseness the downward 
closure of -^( g7 ) w.r.t. the sub-word relation corresponding to the deletion of symbols in T 
while preserving all symbols in S sw U Si nr , i.e., the set 



19 



L ( 9 ,7) = U ( L ((,,7),) + n (( r * • ^y-'ir* ■ s inr ))) 

i=l ^ ' 
By Theorem 11,11 the language L/ ? \ is regular and can be effectively represented by 
a finite-state automaton «4( g>7 ) = (S7 gj7 ),£, A^), If q ^\,Fr q ^\). We assume w.l.o.g that all 
the states in the automaton -4.(<j >7 ) are co-reachable from the final states. We assume also 
that A( 9i7 ) C <SV ?i7 ) x £ x S7 gj7 ) (i.e., there is no transition of -4(,j, 7 ) labeled by the empty 
word). 

5.2. From the DCPS M to the DCFS Mf s . In the following, we give the formal def- 
inition of the DCFS .Mf s . The system A4f s is defined by the tuple (Qf s , Tf s , Af s , qo, 7o) 
where: 

• Qfs = Q U {(!} is the finite set of states. 

• Tf s = T U Sf™ U S™ is the finite set of stack alphabet where Sf s m = |J( g 7 )gQxT ^(9,7) ano - 
•ST QxS^\\\. 

• Af s is the smallest set of transitions such that 

— Initialize: For every 7 G T and q G Q, we have (9,7) — hMf S (tfj s o) l> 6 where so is the 
initial state of «4( 3l7 ) • 

— Spawn: For every ? £ Q, 7 E T, and s -Ax . s', we have (ft, s) — >M k (^ s ') ^> a - 
(Notice that, from the definition of ^4( ?l7 ), a is necessarily in T.) 

— Interrupt: For every q G Q, 7 € T, and s ,g2 ^> ^4 (g7 ) s'; we have (jj,s) 1— >M fs 
(qi,(Q2,(s',a))}. 

— Dispatch: For every s G 5y s m and q\ Q2 < 7', we have gi i-^Mft 92 < 7' and 
91 ^M h 12 < (92, (s,7'))- 

— Resume: For every g G Q, 7 £ T, and s G Sf s m , we have (g, (g, (s, 7))) — >_M fs (tt> s ) ■> e - 
Theorem 15.11 is an immediate consequence of Lemma 15.31 

Lemma 5.3. For every k G N, a control state q € Q is k-bounded reachable (resp. k- 
stratified) reachable by Ai iff q is k-bounded (resp. k-stratified) reachable by A4f s . 

The proof of Lemma 15.31 is given in Appendix [El 

6. Conclusion 

We have proposed new concepts for context-bounded verification we believe that are natural 
and suitable for programs with dynamic thread creation. These concepts are based on the 
idea of bounding the number of switches for each thread and not for all the threads in a 
computation. 

First, we have proved that even for finite-state threads, adopting such a notion of 
context-bounding leads in general to a problem which is as hard as the coverability problem 
of Petri nets. This means that, in theory, the complexity of this problem is high, but in 
practice, there are quite efficient techniques (based on iterative computation of under/upper 
approximations) developed recently for solving this problem which have been implemented 
and used successfully in [GRB06b, GRB06aJ. Moreover, we have proposed a notion of 
stratified context-bounding for which the verification is in NP, i.e., as hard as in the case 
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without dynamic thread creation. An interesting question is how to implement efficiently 
the analysis in this case using clever encodings in SMT solvers. 

Moreover, we have proved that the considered problems are still decidable for the case 
of pushdown threads. This is done by a nontrivial reduction to the corresponding problems 
for finite-state threads. This reduction is based on computing the regular downward closure 
of context-free languages w.r.t. the sub-word relation. The downward closure computation 
may lead in general to an unavoidable exponential blow-up. This is due to the succinctness 
of context-free grammars w.r.t. finite state automata: For instance, the finite language 
{a 2 }, for a fixed N > 1, can be defined with a context-free grammar of size ./V whereas 
a finite-state automaton representing it (or its downward closure) is necessarily of size at 
least 2^. An interesting open problem is whether there is an alternative proof technique 
which allows to avoid the downward closure construction. In practice, we believe that it 
would be possible to overcome this problem by for instance designing algorithms allowing 
to generate efficiently and incrementally (parts of the) downward closure. 

Finally, in our models, we consider that each created thread inherits a switch number 
from its father (the one of its father plus 1). An alternative definition can be obtained 
by considering that each created thread is given the switch number 0. (Therefore, each 
thread can perform up to k switches.) However, the problem SSRf/c] for finite state threads 
(resp. pushdown threads) becomes EXPSPACE-complete (in 2-EXPSPACE) instead of 
NP-complete (NEXPTIME) for this definition. 



References 



[BESS05] A. Bouajjani, J. Esparza, S. Schwoon, and J. Strejcek. Reachability analysis of multithreaded 
software with asynchronous communication. In FSTTCS'05, LNCS 3821, pages 348-359. 
Springer, 2005. 

[BMOT05] Ahmed Bouajjani, Markus Miiller-Olm, and Tayssir Touili. Regular symbolic analysis of dynamic 
networks of pushdown systems. In CONCUR'05, LNCS, 2005. 

[BT03] Ahmed Bouajjani and Tayssir Touili. Reachability Analysis of Process Rewrite Systems. In 
FSTTCS'03. LNCS 2914, 2003. 

[BT05] Ahmed Bouajjani and Tayssir Touili. On Computing Reachability Sets of Process Rewrite Sys- 
tems. In RTA'05. LNCS, 2005. 

[CKS06] Byron Cook, Daniel Kroening, and Natasha Sharygina. Over-approximating boolean programs 
with unbounded thread creation. Formal Methods in Computer Aided Design, 0:53-59, 2006. 

[CKS07] Byron Cook, Daniel Kroening, and Natasha Sharygina. Verification of boolean programs with 
unbounded thread creation. Theoretical Computer Science, 388(1-3) :227 - 242, 2007. 

[Cou91] Bruno Courcelle. On construction obstruction sets of words. EATCS'91, 44:178-185, June 1991. 

[EP00] J. Esparza and A. Podelski. Efficient algorithms for pre* and post* on interprocedural parallel 
flow graphs. In POPL'00. ACM, 2000. 

[GRB06a] P. Canty, J. F. Raskin, and L. Van Begin. A complete abstract interpretation framework for 
coverability properties of WSTS. In VMCAP06, LNCS 3855, pages 49-64. Springer, 2006. 

[GRB06b] G. Geeraerts, J. F. Raskin, and L. Van Begin. Expand, enlarge and check: New algorithms for 
the coverability problem of WSTS. J. Comput. Syst. Set., 72(l):180-203, 2006. 

[HU79] John E. Hopcroft and Jeffrey D. Ullman. Introduction to Automata Theory, Languages and 
Computation. Addison- Wesley, 1979. 

[Lip76] R. Lipton. The reachability problem requires exponential time. Technical Report TR 66, 1976. 

[LMP09] Salvatore La Torre, P. Madhusudan, and Gennaro Parlato. Reducing context-bounded concur- 
rent reachability to sequential reachability. In CAV, volume 5643 of Lecture Notes in Computer 
Science, pages 477-492. Springer, 2009. 



21 



[LMP10] Salvatore La Torre, P. Madhusudan, and Gennaro Parlato. Model-checking parameterized con- 
current programs using linear interfaces. In CAV, volume 6174 of Lecture Notes in Computer 
Science, pages 629-644. Springer, 2010. 

[LR08] A. Lai and T. W. Reps. Reducing concurrent analysis under a context bound to sequential 
analysis. In CAV'08, LNCS 5123, pages 37-51. Springer, 2008. 

[LS98] D. Lugiez and Ph. Schnoebelen. The regular viewpoint on PA-processes. In Proc. 9th Int. 

Conf. Concurrency Theory (CONCUR'98), Nice, France, Sep. 1998, volume 1466, pages 50- 
66. Springer, 1998. 

[LTKR08] A. Lai, T. Touili, N. Kidd, and T. W. Reps. Interprocedural analysis of concurrent programs 

under a context bound. In TACAS'08, LNCS 4963, pages 282-298. Springer, 2008. 
[Mo02] M. Muller-olm. Variations on constants. Habilitation thesis, Dortmund University, 2002. 
[MQ07] M. Musuvathi and S. Qadeer. Iterative context bounding for systematic testing of multithreaded 

programs. In PLDI'07, pages 446-455. ACM, 2007. 
[QR05] S. Qadeer and J. Rehof. Context-bounded model checking of concurrent software. In TACAS'05, 

LNCS 3440, pages 93-107. Springer, 2005. 
[QW04] S. Qadeer and D. Wu. KISS: keep it simple and sequential. In PLDI'04, pages 14-24. ACM, 

2004. 

[Rac78] Charles Rackoff. The covering and boundedness problems for vector addition systems. Theor. 
Comput. Sci., 6:223-231, 1978. 

[RamOO] G. Ramalingam. Context-sensitive synchronization-sensitive analysis is undecidable. ACM Trans. 
Program. Lang. Syst., 22(2):416-430, 2000. 

[SES08] D. Suwimonteerabuth, J. Esparza, and S. Schwoon. Symbolic context-bounded analysis of mul- 
tithreaded java programs. In SPIN'08, LNCS 5156, pages 270-287. Springer, 2008. 

[SS00] Helmut Seidl and Bernhard Steffen. Constraint-based inter-procedural analysis of parallel pro- 
grams. In 9th European Symposium on Programming (ESOP), 2000. 

[SSMH04] H. Seidl, T. Schwentick, A. Muscholl, and P. Habermehl. Counting in trees for free. In ICALP'04, 
LNCS 3142, pages 1136-1149. Springer, 2004. 

[Ste95] Iain A. Stewart. Reachability in some classes of acyclic petri nets. Fundam. Inform., 23(1):91- 
100, 1995. 

[VSS05] Kumar Neeraj Verma, Helmut Seidl, and Thomas Schwentick. On the complexity of equational 
Horn clauses. In CADE'05, LNCS 3632, pages 337-352. Springer, 2005. 

[ZJ08] A. Zaks and R. Joshi. Verifying multi-threaded C programs with SPIN. In SPIN'08, LNCS 5156, 
pages 325-342. Springer, 2008. 

Appendix A. The proof of Lemma 13.31 
Lemma 13.31 Let q € Q. q is fc-bounded reachable by Ai iff q is reachable by Ai'. 

Proof. To proof Lemma 13.31 we proceed as follows: First, we show that for every reachable 
configuration c by Ad', the local configuration ((u/ ,i'),j') S Loc(Ai') of any thread satisfies 
the condition that the switch number j' is equal to the recored switch number i' (i.e., 
i' = j'). This property is established by Lemma lA.li Then, we prove that if a state q is 
/c-bounded reachable by Ai, then q is reachable by Ai' (see Lemma lA.2p . Finally, we show 
that if a state q is reachable by a computation of A4' , then q is /c-bounded reachable by Ai 
(see Lemma lA.3p . 

The switch number of any thread of Ai' is equal to its recorded switch number: In 

the following, we show that for every reachable configuration c by Ai', the local configuration 
((w' ,i'), j') € Loc(Ai') of any thread satisfies the condition that the switch number j' is 
equal to the recored switch number i' . 
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Lemma A.l. // c'$, =^^-,_ M ,, c, then Active(c) G ({_L} U {((w, i), i) \ w G T e ,i G [0,/c]}), 

Me(c)((e,I)) = for all I G N, and Idle(c)((w' ,»'), /)) = /or a// w/ G T e and i', / G N 
such that %' ^ j'. 

Proof. Assume that dj§, => f{M') c f° r some n G N. We proceed by induction on n. 

Basis, n = 0. Then c^ 1 , = c = (<? ,-L, Id^J^ ^). Hence > Lemma EH holds. 

Step, n > 0. Then, there is a configuration c' G Conf(Ai'), t 1 G (A')*, and i G A' such 

that t = r't, and c^, ==4> r(M') c ' T(A4') c - 

Now, we apply the induction hypothesis to the run c 1 ^, T > km 1 ) c '> an d we obtain 

n— 1 ^ ' 

Active(d) G ({_L} U | «i G G [0,k]}), Me(c')((e, /)) = for all I G N, and 

Me(c')((w',j'),/)) = for all w' G T e and i', j' G N such that i' ^ j'. 

Since c' r(A4') c ; then there are four cases to study depending on the type of the transition 
t G A': 

• Case 1: t = (q, (7, r)) — ^/ (q', (u, r)) > e with r G [0, fc]. Then, Active(d) = ((7, r),r) 
(using the induction hypothesis). This implies that Active(c) = ((n, r),r) and Idle(c) = 
Idle(c'). Hence, all the conditions of Lemma lA.ll are satisfied. 

• Case 2: t = (q, (7, r)) — Km'(<?'> ( u i r )) ^ ( a > r + 1) wrtn r e [0>&] an d a G T. Then, 
4c«ue(c0 = ((7,r),r), Active(c) = ((u,r),r), and Me(c) = Me(c') + ld[ ( ( c Q ( ^} ),r+1)} . 
This implies that all the conditions of Lemma lA.ll are satisfied. 

• Case 3: t = (q, (7, r)} i->m' W, (u, r + 1)) with r G [0, k). Then, Acfwe(c') = ((7, r), r), 
Active(c) = _L, and Idle{c) = Idle(d) + 'djw/^n + • This implies that all the condi- 
tions of Lemma lA.ll are satisfied. 

• Case 4: t = g >— >M' °/ <1 (7> r ) with r G [0, fc] and 7 G T. Then, there is j G N 
such that Active{d) = _!_, Active(d) = ((7, r),j), Idle{d){{^,r), j) > 1, and Idle(c) = 
Idle(c') — Id ^2j^A • Since Idle(d)(( / y,r), j) > 1, this implies that necessarily we have 
r = j (from the induction hypothesis). Thus, all the conditions of Lemma IA.1I are 
satisfied. 

□ 

The Only if direction of Lemma 13.3b In the following, we show that if a state q is 
fc-bounded reachable by M, then q is also reachable by Ad'. 

Lemma A. 2. If ' c'J§ =>t [0 h (M) c > ^ en there * s T ' e (A')* such that c'jfi, =^x(M') c ' w ^ ere 
the configuration d G Conf(Ai') is defined as follows: 

• State(d) = State(c). 

• If Active (c) = _L ; then Active(d) = _L. 

• If Active(d) = (w,i) for some w G r e and i G [0,k], then Active(d) = ((w,i),i). 

• Idle(d) is defined from Idle(d) as follows: 

(1) Idle{c'){{{w' , f),j')) = Idle(c)((w',j')) for all w' G T e and f G [0, k + 1], and 

(2) otherwise. 
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Proof. First, we observe that c']$ =^T ok (M) c i m P nes Active(c) = _L or Active(c) = (w,i) 
for some w E r e and i E [0, k] by definition. Let us assume that c l ]$ ==> k] (M) c f° r some 
n E N. We proceed by induction on n. 

Basis, n = 0. This implies that r = e and c?j$ = c = (qo,-L, ld^°/jj^j). Then, by taking 

d = c'j^, and r' = e, all the conditions of Lemma I A. 21 are satisfied. 

Step, n > 0. Then there are c\ € Conf(A4), t\ E A*, and t E A such that: 

C M =f T [0>fe] (A^)Ci ^7f , fc] (A1) c ( A - X ) 
We apply the induction hypothesis to the run c']$ = > T [0k] (M) c i> an d we obtain that 
there are d 1 E Conf(M') and r{ E (A')* such that: 

_ „init — L* „/ 

• C .M' ^^T(M') C l- 

• State{d l ) = State{c\). 

• If Active(c\) = _L, then Active(d 1 ) = JL. 

• If Active(ci) = (w,i) for some w E r e and i E [0, then Active(d 1 ) = ((w,i),i). 

• The function Idle(d 1 ) is defined from Idle(c\) as follows: 

(1) Wte(^)(((«/,/),/)) = Idle( Cl )((w',j')) for all «/ E T e and j' E [0, k + 1], and 

(2) otherwise. 

Since c\ ~^T[ k ](M) c > one °f the following four cases holds: 

• Case 1: i = ((7,7) —>m(q' ' -> u ) !> e - Then, there is i E [0, fc] such that State{c\) = q, 
State{c) = q', Active{c\) = (7, £), Active(c) = (u,i), and Idle(c\) = Idle(c). From 
the definition of At', t' = {q, (7,1)} —>w{q' , (u,i)) > e. Moreover, we have State(d 1 ) = 
State (c\) = q and Active{c\) = ((7,2), i). Then, by taking c' = (q' , ((u,i),i), Idle^)) 
and r' = r(t', we can show that Lemma I A . 21 holds . 

• Case 2: t = (q,j) —>m(q' \ u ) t> a with a E T. Then, there is i E [0, /c] such that 
State (c\) = q, State(c) = q', Active{c{) = (7, i), Active(c) = (u, i), and Idle(c) = 
Idle(ci) + Id^wjJ^- From the definition of At', we have i' = (g, (7, i)} — >M'Wi 

> (a,t + 1). Then, by taking c' = (<?', ((u, i), i), Idlefa) + and r> = r[t', 

we can show that Lemma lA.21 holds. 

• Case 3: t = ((7,7} W> u )- Then, there is i E [0, A;] such that State (c\) = q, 
State{c) = q', Active{c\) = (7, i), Active(c) = JL, and Idle(c) = Idle(c\) + Id^'^j ■ 
From the definition of At', we have t' = {q, (7, i)) *-*m' W ■> O^M + !)}• Then, by taking 
c' = (q', ±, Idle(di) + Id^w^Jn + ) and r' = r{t', we can show that Lemma [A. 2 1 holds. 

• Case 4: t = q q' <l 7 with 7 E T. Then, there is i E [0, fc] such that State{c\) = q, 
State(c) = q', Actwe{c\) = _L, Active(c) = (7, £), Idle{ci){{^f,i)) > 1, and Idle(c) = 
Idle(d) - Id^fjl)- From the definit ion of At', we have t' = q q' O (7)0- Then, 
by taking c' = (g' , ((7, £),£), Idle(c\) — 'd^^^jn ) and r' = r{t', we can show that all 
the conditions of Lemma [A. 21 are satisfied. This is possible since Idte(c' 1 )(((7, z), «)) = 
Me(ci)((7,i)) > 1. 

□ 
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Basis, n = 0. Then, r' = e and cj$ = c' = (g 0> J- By taking c = c^' 1 
(go ; -Lj Idi' an d r = e, we can show that all the conditions of Lemma lA.3l are fulfilled. 



The If direction of Lemma 13.31 : In the following, we shows that if a state q is reachable 
by a computation of M! ', then q is A-bounded reachable by M.. 

Le mm a A.3. ,/c S ^ nM/ , the n thm is r e A* «* ^ >](M) c where 

the configuration c G Conf(M) is defined as follows: 

• State(c) = State(c'). 

• If Active (c') = _!_, then Active(c) = _L. 

• If Active (c') = ((u>,i),i) for some w G r e and i G [0, A;], £/ien Active(c) = (w,i). 

• Idle(c) is defined from Idle(c') as follows: 

(1) 7dte(c)((«/,j')) = Idle(c')(((w',j'),j')) for all w' G T e and j' G [0,/c + 1], and 

(2) otherwise. 

Proof. First, we observe that if c^ 1 , = $'*j-{M') c '> then by Lemma I A. II AcZroefV) = _L or 

■ ■ t' 

Active(c') = ((w,i),i) for some u> G r e and i G [0, k\. Let us assume that c'j$, ==> f(M') c ' 
for some n G N. We proceed by induction on n. 

C M' = c' = \HU,->-,™Loc{M') >■ ^ — 

'Loc(M) 

Step, n > 1. Then, there are t[ G (A')*, if G A', and c[ G Conf(M') such that: 

Jnit T l . J t' J /a \ 

■ M ' 7 "(- M '^ 1 ^ T (- A/( ') C ^ ^ 

We apply Lemma [A. II to c^ 1 ) 1 > r(A4') c 'i an d c^ 1 ) 77A4') c ' i an d we obtain that: 

• Active(c'), Active^) G ({JL} U {((io,i),i) | io G T t ,i G [0,/c]}), 

• Me(ci)((e,0) = Idle{c'){{e,l)) = for all Z G N, and 

• Me( C ;)((u/,0,y)) = /dZe(c / )(K,i , ),i')) = for all w' G T 6 and i' ^ /. 

We apply also the induction hypothesis to c'j$, 1 > t(M') c i, an d we obtain that there 
are t\ G A* and c\ G Conf(M) such that: 

init _HLv * 

• C M ^T [0M (M) Cl ' 

• State (c\) = State (ci). 

• If Active^) = -L, then Active(ci) = _L. 

• If Active^) = ((w,i),i) for some w G r e and i G [0, A;], then Active{c{) = (w,i). 

• The function Idle{c\) is defined from JdZe(c^) as follows: 

(1) Me(ci)((u/,y)) = Me(ci)(((K/, /),/)) for a11 w> e r e an d / G [0, k + 1], and 

(2) otherwise. 

On the other hand, -^t(M') c ' implies that one of the following four cases holds: 

• Case 1: t' = (q, (7, i)) — >m'{q '1 [u, i)) > e with i G [0, fc]. Then, State(c[) = q, 
State (cf) = q' , Active{d{) = ((7,i),i), Active(c') = ((n, and Idle(c[) = Idle(c'). 
We can use the definition of M! to show that t = (9,7) -^m(q\ u ) > e - Then, by taking 
c = (</, (n, i), Idle{c\)) and r = rit, we can show that Lemma fA.31 holds. 
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• Case 2: t' = (q, (7, £)) -^M'Wi ( u i *)) !> (cm + 1) with i G [0, fc] and a G T. Then, 
5'taie(c / 1 ) = g, State(c') = q', Active(d 1 ) = ((7, Active(c') = ((u,i),i), and Idle(c') = 

Idle{d x ) + Id^JJ", 1 ^^^ 1 . The definition of X' implies i = (9,7) ^ M W,u>) > «• Then, 

by taking c = (g', (u,i), Idle(c\) + 'd^'/^l ) and r = Tit, we can show that Lemma I A. 31 
holds. 

• Case 3: t' = (q,(j,i)) (<?', (u, with i € [0,fc]. Then, State{d x ) = q, State(d) = 
q\ Active{c[) = ((7, Actwe(d) = J_, and Idle{d) = Idle(d x ) + ld&jjV ,<+1)} . We 
can use the definition of .M' to show that t = (q, 7) 1— >^ (q',u). Then, by taking 
c = (g', _L, Idle(ci) + Id^'^ 1 ^) and r = r x t, we can show that all the conditions of 
Lemma IA.3I are fulfilled. 

• Case 4: t' = q ^m' q' < (7>*) with i £ [0>&]- Then, State(d x ) = q, State(d) = q', 
Active(d x ) = _L, Active(d) = ((7, Idle(d x )(((^, i), i)) > 1, and Idle(d) = Idle(d x ) - 

ld w!M') } - This is due to the fact that Idle (c'i)((l,i),j)) = for all j G N such that 
% ^ j. We can use the definition of M' to show that t = q >-^m q' O 7- Then, by taking 
c = (<?') (7> *)s Idle(ci) — and r = rii, we can easily show that all the conditions 

of Lemma IA.3I are fulfilled. This is possible since Idle{c\)({"f,i)) = Idle(d x )(( , y,i),i) and 
Jdte(ci)(((7, »)> *))>!■ 

□ 

As an immediate consequence of Lemma IA.2I and IA.31 we obtain that for every state 
q G Q, q is fe-bounded reachable by .A/f iff g is reachable by M! . □ 



Appendix B. The proof of Lemma 13.51 
Lemma 13.51 Let q G Q. q is reachable by A4 if and only if {q, _L) is reachable by V. 

Proof. To prove Lemma [3. 5 1 we proceed as follows: First, we introduce the function fj, which 
defines a simulation relation between A4 and V (see Definition IB. ip . Then, we show that if 
a state q is reachable by A4, then (g, _L) is also reachable by V (see Lemma |B.2|) . Finally, 
we prove that if (q, _L) is reachable by V, then q is reachable by A4 (see Lemma |B.3|) . 

The simulation relation between V and A4: Let us define the function \x which maps 
every configuration of Ai to a configuration of V. 

Definition B.l. Let ji be a function from Conf{M) to Conf(V) such that: For every 
c G Conf(M), we have /i(c) = ((q,rj), u) where: 

• q = State(c), 

• 77 = _L if Active(c) = _L, 

• 77 = w if Active(c) = (w, i) for some it; G T e and i G N, 

• U M = Ej G N Me ( c )((7i-i,j)) for all i G [l,m[, and (2) u[m] = J] ieN Idle(c)((e, j)). 
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The Only if direction of Lemma 13.51 : In the following, we show that if a state q is 
reachable by At, then (q, _L) is also reachable by V. 

Lemma B.2. If d$ =^ (M)C; then ((p , -1), Uo)=^f ( V )A*( C )- 

Proof. We use induction on the length of the run ==^^.^c. For some £ G N assume 
that c^/ 1 ==> 77 Af) c - We proceed by induction on t. 

Basis, i = 0. Then c = and r = e. Moreover, we have ^(c^ 1 ) = ((qo, _L), uo). This 
implies that ((go, -L), uo) =^y{V) M ) h°lds. 

Step. £ > 0. Then there are d G Conf(M), r' G £*, and ieS such that r = r'i and: 

init T ' , / t . /Tj 1 \ 

C A! = ^ > T(Al)C — >T(Af) c l^- 1 ) 

We apply the induction hypothesis to the run c'j$ T > T{M) c ' ' i an d we obtain: 

((q ,±),u )^* r{v)f ,(c f ) (B.2) 

Let us assume that /x(c') = d and /x(c) = Since c' — >T{M) c i then one of the following 
cases holds: 

• Case 1: If t = (9,7) —>m(q' \ u ) t> e - Then, there is i G N such that State(c') = q, 
State(c) = q' , Active(c') = (7,2), Active(c) = (u,i), and Idle(c) = Idle{c'). We can use 
the definition of \x to show that Stated') = (q, 7), State(q) = (q' , u), and Val{q) = Val(d). 
Moreover, from the definition of V, we have <5((g,7),t) = ((q u), m ). This implies that 
^ -^T(V)S, and so we obtain ((p , _L), u )=^^ v ^(c). 

• Case 2: If i = (q, 7) —^m(q'j u ) l> 7j— 1 f° r some j G [1, m[. Then, there is i G N such that 
State(c') = q, State(c) = q' , Active(c') = (7,2), Active(c) = (u,i), and Idle(c) = Idle{c') + 

^Loc(M) +1 ^' ' ^ e can use ^ e definition of /i to show that Stated') = (9,7), Stated) = 
(q',u), and VaZ(?) = Val{d)[j (Val(d)[j] + 1)]. Moreover, from the definition of V, we 
have 5((q,~/),t) = ((q' \u),O m [j 1]). This implies that d -^t(V)S, and so we obtain 
((p ,-L),u )^f (v) /i(c). 

• Case 3: If t = (9,7) 1 — (q',e)- Then, there is i G N such that State(c') = q, 
State{c) = q', Active(c') = (7, i), Active(c) = _L, and Idle(c) = Idle(c') + Id^^Jj^. 
We can use the definition of [i to show that State(d) = (9,7), State{q) = (q ', _L), and 
Va/(?) = Val(d)[m <— ' (Val(d)[m] + 1)]. Moreover, from the definition of V, we have 
^((<7>7)>*) = ((^'j -L), m [m 1]). This implies that -^>t(V)^i an d so we obtain 
((po,-L),u )^^- (v) /i(c). 

• Case 4: If i = (9,7) (<?' ')7j-l) f° r some j G [l,m[. Then, there is i G N such 
that State(c') = q, State(c) = q 1 ', Active{d) = (7, z), Active(c) = _L, and Idle(c) = 

Idle(c') + ^Loc(M) +1 ^ ' ^ e can use ^ e definition of /x to show that State(d) = (9,7), 
Stated) = (q',±), and Va/(?) = VaZ(OL?' ^ + !)]• Moreover, from the 

definition of V, we have 5((q,~f),t) = ((q ', ±),0 m [j ^— ' 1]). This implies that d -^r(V) 
and so we obtain ((po, -L), uo)=4»^ V j/i(c). 
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• Case 5: If t = q i— >m q' <1 7j-i f° r some j G Then, there is i G N such that 
State{d) = q, State(c) = q' , Active(c') = J_, Active(c) = (7j_i,i), Idle(d)(( r yj-i, i)) > 1, 

and Idle{c) = Idle{d) — 'd^Vj^A . We can use the definition of /i to show State (d) = 

(g,l), Statefc) = (« , ,7i-i)rVW(Ob1 > 1, and VW(?) = Vb/(Ob' ^ (MObl - !)]• 
Moreover, from the definition of V, we have <5((g, J_),i) = (((/, ~fj-i), m [j <h> — 1]). This 

implies that d — *"T(V) an d so we obtain ({po, JL), uo)==> 7 -q^/z(c). 

□ 

The If direction of Lemma 13. 5t In the following, we prove that if (g, _L) is reachable by 
V, then q is reachable by A4. 

Lemma B.3. Let ? G (Q x (T e U {_L})) x N m and r G E*. J/ ((g , ±), u ) =^J- (v) ?, tten 
t/iere is c G Conf(M) such that ? = //(c) and =^7-^) c. 

Proof. We use induction on the length of the run po =^7"(y) For some f £ N assume 
((go, JL), Uo) ==> 7-^) We proceed by induction on I. 

Basis. I = 0. Then, ((go, JL), uo) = ? and r = e. By taking c = c^ 1 , we have d$ =^q-(M) c. 

Moreover, using the definition of fi, we have //(c^) = (jl{c) = ((go, J_),Uo) = 

Step. £ > 0. Then, there are d G Conf(V), t 1 G £*, and i 6 E such that r = r't and 

((go, J_),Uo) T(V) ~~^"T(V) Moreover, we can assume that State (d) G Qx(r e U{J_}) 

since State(d) £Qx (T e U {J-}) (see the definition of the transition function of V). 

We apply now the induction hypothesis to the run ((go,J_),uo) ===> T(V) ^ an d we 

obtain that there is a configuration d G Conf(A4) such that /i(c') = d and c^J =^7-^) c'. 
On the other hand, the run d r(A4) ? implies that one of the following cases holds: 

• Case 1: If t = (q, 7) -^mW> u ) > e - Then, from the definition of V, we have State (d) = 
(5,7), Stated) = (q',u), and Va/(?) = VaZ(?'). Moreover, from the definition of the 
function fj,, we know that there is i G N such that State(c') = q and Active(d) = (7, i). 

Let c = (g, (u, i), Idle{c')). Then, d -^t(M) c an d m( c ) = So, we obtain ? = //(c) and 

init T >, * _ 
C X ^T(.M) c - 

• Case 2: If t = {q, 7) —>m(q'i u ) » 7?— 1 f° r some j G [1, m[. Then, from the definition of V, 
we have State(d) = (g, 7 ), Stated) = (q',u), and VW(?) = Val(d)[j ^ {Val(d)[j} + 1)]. 
Moreover, from the definition of the function //, we know that there is i G N such that 

State(d) = q and Active(c') = Let c = (q,(u,i),Idle(d) + ldfe^A <+1)} ). Then, 

c' -^t(M) c an d m( c ) = So, we obtain ? = /i(c) and Cy$ =^7-^) c. 

• Case 3: If t = (q, 7) h-^x (g', e). Then, from the definition of V, we have State (d) = 
(g,7), State (d) = (q',±), and Va%) = VaZ(?')["^ ^ (Va/(?')H + 1)]- Moreover, from 
the definition of the function /i, we know that there is i G N such that State {d) = q and 

Active(d) = (7, i). Let c = (g, J_, Idle(d) + 'd^^P )• Then, c' -^>7"(A<) c an< ^ /^( c ) = ? - 

So, we obtain ? = /u(c) and c^ 1 =^7-^) c. 

• Case 4: If t = ((7,7) 1— >x (g',7j_i) for some j G [1, m[. Then, from the definition of V, 
we have State(d) = (g,7), State(d) = (q',±), and Val(d) = Val(d)[j ^ (Val(d)[j] + 1)]. 
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Moreover, from the definition of the function fj,, we know that there is i G N such that 

,{(Yj_i,i- 
'Loc(M) 



State{c') = q and Active(c') = Let c = (g, 1, Me(c') + ld { / 7 r^ +1)} )- Then, 



c' -^t(M) c an d M( c ) = f- So, we obtain ? = /i(c) and Cy^ 1 =^7-^) c. 
Case 5: If t = g 1 — >-_^ <l 7j_i for some j € Then, from the definition of V, we 

have Stated) = (g,_L), Stated) = (g',7,-1), VaifcODI > 1, and VWfc) = Val{q')[j ^ 
[Val{q')[j] — 1)]. Moreover, from the definition of the function we know that there 
is i G N such that State(c') = q, Active(c') = _L, and 7dZe(c')((7j_i, i)) > 1. Let c = 

(g, (7j_i,i), Idle(c') - Idfe^ )■ Then, c is well defined, c' -^r(M) c > anci m( c ) = So, 
we obtain <j = /i(c) and c^ 1 =£-^^^ c. □ 
Hence Lemma 13.51 is an immediate consequence of Lemma IB.2I and Lemma IB. 31 □ 



Appendix C. The proof of Lemma l3~7l 
Lemma 13.71 Let g G Q. q is reachable by V if and only if q is 2-bounded reachable by M. 

Proof. To prove Lemma [3.7l we proceed as follows: First, we prove that if g G Q is reachable 
by V, then g is 2-bounded reachable by M. (see Lemma |C. II ). Then, we show that if g G Q 
is 2-bounded reachable by M, then g is reachable by V (see Lemma |C2() . 

The If direction of Lemma \3. 1\ In the following, we show if q G Q is reachable by V, then 
q is 2-bounded reachable by M.. 

Lemma C.l. If (go, n ) =$-1^^ (g, u), then for every m G N, there are r G A* and Val G 
[Loc(M) -> N] such that: (1) VoZ((7i,2)) = u[i] /or a// 1 G [l,n], (2) VaZ((7 , 1)) = m, and 
(3)^^ 02](A4) (g,±,^). 

Proof We use induction on the length of the run (g ,0 n ) =^.^ (g>u). For some ^ G N 
assume that (go, n ) => f(y) (g> u )- We proceed by induction on I. 

Basis. I = 0. Then a = e, g = go and u = n . It is easy to observe that for every 

m G N, 7|o,2](-^)) from the initial configuration c'j$, can apply m-times the transition 

to = (po?7o) ->A4(Po,7o) > 7o followed by the transition t = (po>7o) (go,e) to reach 

■ • t m -t' 

the configuration (go, _L, VaZ) (i.e., c'j§ > ^ 2 (M) (^°' ^ a 0) with FaZ((7 , 1)) = m and 
Va/(( 7i ,2)) = u[»] for alH G [l,n]. 

Step. £ > 0. Then, there are g' 6 Q, u' £ N n , <r' G £*, and a G S such that <r = <r'a and: 

(g , 0") ^ r(v) (g', u') ^> r(v) (g, u) (C.l) 
We apply the induction hypothesis to (go, n ) =^=4> j-(y) (g', u'), and we obtain that: 
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Vro' G N, 3t' G A* and 3 VaZ' G [Loc(M) -> N] s.t.: 

VW'((Yo,l))=™' 

VaZ'(( 7 ;,2)) = u'[i],Vi G [l,n] (C.2) 

Moreover, we have (</, u') -^-nv) (0S U )- This implies that 5(q',a) = (q,u — u'), and one 
of the following cases holds: 

• Case 1: If u' = u, then t = q 1 q' < 7o> = (<?')To) — ^ (9, To) > e > an d i" = 

(?)To) ^.M (°i e )- This implies that for every VaZ G [Xoc(.M) — > N], 7[o,2](-M) can move 

from the configuration (g ; , _L, VaZ + Id^ /^) to the configuration (q, _L, Val + Id^^L). 
Now, we can use Equations IC. 21 to show that: 



Vm G N, 3t' G A* and 3 Val G [loc(M) -> N] s.t.: 

VaZ(( 7o ,l))=m 

VaZ(( 7i ,2)) = u[i],Vi G [l,n] (C.3) 

• Case 2: If u = u'[j (u'[j] + 1)] for some j G [l,n], then we have that t = q' >-^m 
q' < 7q, f = (g',7 ) ->A4 (?)7o) > 7i> and t" = (g,To) This implies that for 
every VaZ" G [Loc(TW) — > N], 7[o,2](-^) can move from the configuration (<?', _L, Val" + 

ld WM)) to the configuration (q,±, Val) with VaZ = Val" + ldK^?' 2)} . Now, we can 
use Equations IC.21 to show that: 

Vm G N, 3t' G A* and 3 VaZ G [Loc(M) -> N] s.t.: 

c ^^^ o2](M) (g,i_,VaZ) 
VaZ(( 7o ,l)) =m 

VaZ(( 7i ,2)) = u[i],ViG [l,n] (C.4) 

• Case 3: If u = u'[j 4-^ (u'[j] — 1)] and u'[j] > 1 for some j G [1, n], then t = q' 

q < 7j, and i' = (q,Jj) This implies that for every VaZ" G [Conf\ oc (A4) — > N] 

such that VaZ"((7j,2)) > 1, 77o,2](-M) can move from the configuration (g',_L, Val") to 

the configuration (g, _L, VaZ) with VaZ = Val" + Id^fj^x — 'd^jj?/^ ■ Now, we can use 
Equations IC.21 to show that: 

Vm G N, 3t' G A* and 3 VaZ G [Loc(M) -> N] s.t.: 

VaZ(( 7o ,l)) =m 

VaZ(( 7i ,2)) = u'[i] , ViG [l,n] (C.5) 
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(This is possible since Val' ((jj , 2)) = u'[j] > 1.) 

□ 

The Only if direction of Lemma 13. 7i In the following, we show that if q G Q is 2- 
bounded reachable by M, then q is reachable by V. 

Lemma C.2. If c'jfi =^t [0 2 (M) c f or some T e A* an d c e Conf(M) such that State(c) G 
Q, then the following conditions are satisfied: 

(1) Active(c) G ({i_} U ({( 7o , 1)}) U ((r \ { 7 o,7 }) * {2})), 

(2) Me(c)((7o,i)) = /or a// 1 G N, 

(3) Me(c)((7j,z')) = /or aZZ j G [1, n] and i ji 2, 

(4) Idle(c)(i<y' ,i)) = /or all i + 1, and 

(5) f/iere is a G S* luzf/i (goi n ) = '*T(V) u )' w ^ ere 1 = State (c) andu[j] = Idle{c){{~fj, 2)) 
/or aZZ j G [l,n]. 

Proof. Again, we use induction. Let us assume that c'J§ =^j- 2 (M) c ^ or some ^ G A* 
and c G Conf{M) such that State(c) G Q. Then, from the definition of M, there are 
ri,r 2 G A* and m G N such that r = t x t 2 and c^ 1 =^r Q 2] (x) (?0, -L, Va/ ) =^7T 2] (Af) c 
with Va/o(( 7 0) 1)) = m an d Va/o((a, j)) = for all (a, j) G T x N such that (a, j) ^ (7 , 1). 
Since (go ; -Lj VoIq) =>j- [0 2][ {m) c ^ then there is £ G N such that (<7o>-L, VoIq) ==> T[ 02 ](M) C - 
To prove Lemma IC.21 we proceed by induction on t. 

Basis, i = 0. Then, r 2 = e, c = ((/o,-L, VaZo) ■ By taking a = e and u = ra , we have 
(qo,O n ) =>t(V) (^' u ) witn ^ = State(c) and u[i] = Idle(c)((~n,2)) = for all z G [l,n]. 
Moreover, we have Idle(c)((a,j)) = for all (a, j) G T x N such that (a, j) / ( 7o , 1). 
Step. £ > 0. Then, there are r' G A*, t G A, and c' G Conf(M) such that t 2 = r't and 

(gd,J_, VaZ ) ==*► 7[o, 2] (M) c ' ^T m] (M) c 

From the definition of .M, it is not hard to prove that State{d) G Q. 
We apply the induction hypothesis to (qo, _!_, VoIq) > j- [0 2] (m) c 'i an d we obtain that the 
following conditions are satisfied: 

. AcUve(c') G ({±} U ({( 7o , 1)}) U ((r \ { 7 o, 7 l) * {2})), 

• Me(c')(( 7o ,i)) = for all i G N, 

• Idle(c')((jj,i)) = for all j G [l,n] and i / 2, 

• Idle(c')((j' ,i)) = for all i / 1, and 

• there is o~' G X* such that: 

(go, 0")^4f (v) (</>') (C.6) 
where q' = State(c') and u'[j] = Me(e')((7,-, 2)) for all j G [l,n]. 
Moreover, we have d 2] (A4) c - This implies that one of the following cases holds: 

• Case 1: t = (q ', 7o ) — >m{q.-,1q) l> e - Then, State(c) = q, State{c') = q', Active(c) = 
Active(c') = (7 ,1), and Idle(c) = Idle(c'). This implies that the conditions 1-4 of 
Lemma IC.2I are satisfied. Moreover, from the definition of A4, there is a G £ such that 
8(q',a) = (q,0 n ) since we have t = 7o) - >m{i-,1q) I> e - This implies that T(V) can 
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reach the configuration (g, u') from the configuration (g',u'). I.e., we have the following 
computation of T(V): 

( g ',u')^ r(v) (g,u) (C.7) 

with u = u'. 

Putting together Equation IC.6I and IC.71 we obtain that: 

(g Q ,0")^% (v) (g,u) (C.8) 

Now, we can use the fact that u = u', Idle(c) = Idle(d), and u'\j] = Idle(d)((^j,2)) for 
all j G [l,n], to show that u\j] = JdZe(c)((7j, 2)) for all j G [1, raj- 
Case 2: t = (</,7o) —>m(q>i'o) ■> 7fc f° r some € [l,n]. Then, State (c) = q, State(c') = 
q', Active(c) = Active(c') = 1), and Idle(c) = Idle(c') + ld^ fc { ^|. This implies that 
the conditions 1-4 of Lemma |C. 21 are satisfied. Moreover, from the definition of M, there 
is a G £ such that 5(q',a) = (q,O n [k <-^> 1]) since we have t = (g' ; 7 ) — >m{<1i To) l> 7fc- 
This implies that 7~(V) can reach the configuration (g, u) from the configuration (g', u') 
with u = u'[k (u'[/c] + 1)]. I.e., we have the following computation of T(V): 

(q',u')^ T(v) (q,u) (C.9) 
Putting together Equation IC.6I and IC.91 we obtain that: 

(g Q ,0")^% (v) (g,u) (CIO) 

Now, we can use the fact that u = u'[k ^ (u'[k] + 1)], Idle(c) = Idle(c') + Idj^/^n, 
and u'[j] = Idle(d)((ij,2)) for all j G [l,n], to show that u[j] = Idle(c)((yj,2)) for all 
je[l,n}. 

Case 3: i = (g',7fc) i- )• mW^) f° r some fc G [l,n]. Then, State(c) = State (d) = q', 
Active(c) = _L, Active(d) = (7^,2), and Idle(d) = Idle(d) + 'd^f^n- This implies that 
the conditions 1-4 of Lemma IC.2I are satisfied. Moreover, by taking q = q', a = a', and 
u = u', we have: 

(go,0-)^ (v) (g,u) (C.ll) 

Now, we can use the fact that u = u', Idle(c) = Idle(d) + 'dj^^Q, and u'[j] = 
Me(c')((7j,2)) for all j G [l,n], to show that u[j] = Idle(c)((^j,2)) for all j G [l,ra]. 
Case 4: t = q' Q <1 7fc for some /c G Then, State(c) = q, State(c') = q', 

Active{c) = (7fc,2), Active{d) = _L, Idle(d)((j k , 2)) > 1, and Me(c) = WMO- |d {&2)- 
This implies that the conditions 1-4 of Lemma IC.2I are satisfied. Moreover, from the 
definition of M, there is a G S such that 5(q',a) = (q,O n [k —1]). This implies that 
T(V) can reach the configuration (g, u) from the configuration (g',u') with u = u'[k 
(u'[k] — 1)] since J(iZe(c / )((7fc, 2)) = u'ffc] > 1. I.e., we have the following computation of 
TflO: 



(g / , uQ -A r(v) (g, u) 
Putting together Equation IC.6I and IC 121 we obtain that: 



(C.12) 
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( qo ,O n )^* T{v) (q,u) (C.13) 

Now, we can use that u = u'[k <h- > [u'[k] - 1)], Idle(c) = Idle(d) - Id^^j, and u'[j] = 
Me(c')((7j,2)) for all j G [l,n], to show that u[j] = Idle(c)(('jj , 2)) for all j G [l,n]. 

• Case 5: t = (</,7 ) W, e )- Then, State(c) = State(c') = q', Active(c') = (^y' , 1), 
Active(c) = -L, and Idle(c) = Idle(c') + This implies that the conditions 1-4 of 

Lemma IC.2I are satisfied. By taking u = u', a = a', and q = q' , we have that T(V) can 
reach the configuration (q,u) from the configuration (g',u'). I.e., we have the following 
computation of T(V): 

( qo ,0")^* nv) (q,u) (C.14) 

Now, we can use that u = u', Idle(c) = Idle{d) + Idjrw^! and u'[j] = Idle(d)((jj,2)) 
for all j G [l,n], to show that u[j] = Idle{d){{^j, 2)) for all j G 

• Case 6: t = q' \-^m q' < To- Then, State(c) = State (d) = q', Active(c) = (7 ,1), 
Active{d) = _L, Idle(d)((-y' , 1)) > 1, and itffe(c) = Me(c') - ldS$V This implies that 
the conditions 1-4 of Lemma IC.2l are satisfied. By taking u = u', a = a', and q = q', we 
have that T(V) can reach the configuration (<?, u) from the configuration (q', u'). I.e., we 
have the following computation of T(V): 

(gb,0")=^- (v) ( g ,u) (C.15) 

Now, we can use that u = u', Idle(c) = Idle(d) - ld£^s, and u'[j] = Idle(d)((jj,2)) 
for all j G [l,n], to show that u[j] = Idle{c){{~fj, 2)) for all j G [l,w]. □ 
Hence, Lemma 13.71 is an immediate consequence of Lemma IC.ll and Lemma IC.21 Q 



Appendix D. The proof of Lemma 14.41 

Lemma 14.41 A state q G F is fc-stratified reachable by A4 if and only if there is Oi G S* 
for all i G [0, k] such that: 

• <y Q ax---a k G Traces r ^ ({(q , ±)}, F x {_L}), and 

• |°"i|(7,i,<i) — \ a i-l\(-r,i,>) f° r all 7 G T and i G [0, k] where <r_i = (70,0,0). 

Proof. To prove Lemma 14,4} we need first to define a simulation relation /i between A4 and 
"P that maps any configuration of Ad to a configuration of P. 

Definition D.l. Let [i be a function from Q x Bp x Loc(A4) to Conf(V) such that for 
every c G Q x Bp x Loc(.M), //(c) = (State(c), Active{dj). 
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The Only if direction of Lemma \4-4\ In the following, we show that if there is a state q G F 
such that q is /c-stratified reachable by Ai, then there is o~j G X* for all i G [0, fc] such that 
<7 cri ■ ■ -cr k G Traces r cp)({(g ,-L)},i ? X {-!}), and |£ri[( 7)i) <) < |o-j_i|( 7iij[>) for all 7 G T and 
z G [0, fc] where <7_i = (70, 0, >). 

To this aim, we first prove that if there is a run c ^^^--(M) c ' ( where M executes 
only threads with switch number i G [0, k]), then there is a run /i(c)==^>^-^^ m(0 °f ^ such 
that: (1) o~i G £*, (2) the number of occurrences of (7, i, <) in o; L is equal to the number of 
activated threads by M. with local configuration (7, i), and (3) the number of created/added 
threads by M with local configuration (7, i + 1) is equal to the number of occurrence of 

+ 1, >) in <7j. 

Lemma D.2. For every i G [0, /c], and c, c' G (Q x r-p x Xoc(.M)), if there is r% G A* such 
that C= =>j- { } (M) c ' > ^en there is o~i G S* such that: 

(1) ^( c )=^ (p) ^(c'). 

(2) Idle(c)((a,i)) > |<Ti|( a i<) /or a// a G I\. 

(3) Idle(c')((a,i)) = Idle(c)((a, £)) — |o"z|(a,i,<) an ^ Idle(c')((a, i+1)) = Idle(c)((a, i + 1)) + 
ki|( Q ,i+i,>) /or aZZ a G T e . 

(4) Idle(c')((a,j)) = Idle (c) ((a, j)) for all (a, j) G T £ x [0, A; + 1] suc/i i/iai j ^ + 1}. 

Proof. Assume that c ==> t- {i }(A4) c ' f° r some i G N. We proceed by induction on £. 

Basis, t = 0. Then, r« = e and c = c'. By taking o~j = e, we have all the conditions of 
Lemma |P.2l are fulfilled. 

Step. £ > 0. Then there are r[ G A*, i G A, c" G (Q x I> x Zoc(A^)) such that: 

c ==> T {l} (M) c" ^T {l} (A4) c (D.l) 

We apply the induction hypothesis to the run c ' > T {i }(Al) c "> an d we obtain that there 
is 0"^ G E* such that: 

• M ( c )=^- (p) /x( c "). 

• 7dZe(c)((a, i)) > |o^|( a ,i,<) for all a G r e . 

• Idle(c")((a,i)) = Idle (c) ((«,*))- Ic^ !(„,*,<) andMe(c")((a,i + l)) =Me(c)((a,i + l)) + 
Kl(a,i+i,>) for all a G T e . 

• Me(c")((a,j)) = Idle(c)((a,j)) for all (a, j) G T e x [0, k + 1] such that j 1}. 

Since we have c" -^T{ i} {M) c ' ' 1 one °f the followings cases holds: 

• Case 1: t = {q", 7} ->mW, u ) > e. Then State(c") = q", State(c') = q' , Active(c") = 
(7, i), Active(c') = (u,i), and Idle{c') = Idle(c"). Moreover, from the definition of "P, we 

have (g", (7, £)) — \ -p(q' , (u,i)). This implies that T('P) has the following run: 

(^,( 7 ,<))-iS^ r(P) (g', («,<)) (D.2) 
We can use the definition of \x to show that n(c") = (q", (7, i)) and n(c') = (q',(u,i)). 
Then, let o"j = o"^(e,i, — ). Putting together the equation n(c)=>%-,^ yu(c") and Equation 



31 



M.F. ATIG, A. BOUAJJANI, AND S. QADEER 



ID.2[ we obtain that: 

M(c)=^rcp) M c ( d - 3 ) 
Then, we can use the fact that Idle(d) = Idle(c") and <7j = a[{e,i,—) to show that all 
the conditions of Lemma |P,2l are fulfilled. 

Case 2: t = (q", 7) -> M W,u) > a with a G T. Then State(c") = q", State (d) = q', 
Active(c") = (7,i), Active(d) = (u,i), and Me(c') = Idle(c") + ldjfe^l )} . Moreover, 

from the definition of T 7 , we have (g", (7, i)) ( Q ^ +1 ' I> ) > -p(g' ; (u, i)). This implies that T(V) 
has the following run: 

( g ",(7,0) (a ' i+1|>) > r(y) ( g , ,(«,t)) (D.4) 

We can use the definition of the function fx to show that f-i,(c") = (q", (7,*)) and /i(c') = 
(g', (it, i)). Then, let Oi = cr'^a, i + 1, >). 

Putting together the equation ^{6)=^^-^ /x(c") and Equation ID.41 we obtain that: 

Kc)=^T {V) ( D - 5 ) 

Then, we can use the fact that Idle(c') = Idleid') + 'djw^V^ and <7j = cr-(a, i + 1, >) to 
show that all the conditions of Lemma lD.21 are fulfilled. 

Case 3: t = (q",j) W,u). Then State(c") = q", State(c') = q', Active(c") = 
Active{d) = _L, and Idle(d) = Idle(d') + ^^!{M)^' Moreover, from the definition of V, 

we have (q", (7, i)) -^-—^^K'p(q',l.}. This implies that T(V) has the following run: 

(g",(7,z))^±^ r(P) ( (? ',i.) (D.6) 

Using the definition of the function fj,, it is easy to observe that /x(c") = (q", (7,*)) 
and fJ,(d) = (q', _L). Then, let = CTj'(u,i + 1, >). Putting together the equation 

/i(c)=^^-/ps /x(c") and Equation ID.61 we obtain that: 

Then, we can use the fact that Idle(d) = Idleid') + Id^'^jx and Uj = i + 1, >) to 
show that all the conditions of Lemma ID. 21 are fulfilled. 

Case 4: i = g" 1-^ q' < 7. Then State{d') = q" , State{d) = q', Active(d') = _L, 
Active[d) = (7,1), Me(c")((7,i)) > 1, and Me(c') = JdZe(c") - ldJ£'$L Moreover, 

from the definition of T 7 , we have (g", _L) ^ v(q\ (7> *))• This implies that T(V) has 

the following run: 

(^) J ^T(P)(</,(7,*)) (D.8) 
Using the definition of the function /i, it is easy to observe that fi(d') = (q", _L) and /x(c') = 
(g', (7, i)). Then, let cr, = 0^(7, £, <). Putting together the equation //(c)=^y^ /u(c") 
and Equation ID. 81 we obtain that: 

M(c)=^>)M<0 (D-9) 

Then, we can use the fact that Idle(d) = Idle(d') — Id^'/j^ and dj = 0^(7, i, <l) to show 
that all the conditions of Lemma ID. 21 are fulfilled. □ 
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Now, we are ready to prove the only if direction of Lemma 14.41 

Lemma D.3. If q G F is k-stratified reachable by M., then there is o~i G S* for all i G [0, k] 
such that a Q a 1 ---a k G Traces r ^({(q , _L)}, F x {_L}), and |o"i|( 7 ,i,<i) < ki-l|( 7 ,i,>) for all 
7 G T and i G [0, k] where <r_i = (70, 0, >). 

Proof. Let us assume that there is a state g G F such that g is /c-stratified reachability by M. . 
Then, there are tq,t\, . . . , t\. G A*, and c±, . . . , c^+i G Conf(M) such that State{ck+\) = q, 
Active(ck+i) = JL, and we have: 

init T 0, * „ r l, * r fc-l, * „ T *\ * „ (r\ -irA 

C X =^T {0} (.M) c l =>T { i } (M) ■ ■ ■ ^^T {fc _ 1} (M) °k ^T {k] {M) c k+l l U - iU J 

Notice that all the configurations c^, c%, C2, ■ ■ ■ , c^+i are in (QxT-p x Loc(A / l)) by definition. 
Then, we can use Lemma lD.2} to show that there are o~i G S* for all % G [0, k] such that: 

K C M ) =^f(7>) M c i) =^T(7>) ' ' ' == > f(P) M c fc) =^T(V) ^(cfc+i) ( D - n ) 

Then, we obtain o"oO"i • • • G Traces^-p) ({(go, J-)}, F x {_L}) since /u( c Xl) = (go,_L), 
State(ck+i) = q G F, and Active(ck+i) = -L (i.e., //(c^+i) G F x {X}). Moreover, we 
can use the fact that Idie(cj$) = ldj£j$} 

and the second condition of Lemma ID.2( to 

prove that for every a G T e , we have that |co|(a,i,<) < l^-i I (a,t,>) with cr_i = (70,0, >). 

Conversely, we can use the conditions (3) and (4) of Lemma [D. 2 1 to prove that for every 
j G [1, k + 1] and every a G T e , we have Idle(cj)((a, j)) = \<7j—i\( a j,>) an d Idle(cj)((a, j + 
1)) = 0. So, for every j G [l,k] and a G r e , we can use the fact that Idle(cj)((a, j)) = 
\°~j-l\(a,j,>) an d the second condition of Lemma [D.2I (i.e.. Idle(cj)((a, j)) > \&j\( a ,j,<))i to 
prove that |o-j_i|( aj>) > |<7 3 -[(aj,<)- □ 



The if direction of Lemma in the following, we prove that if there is 0% G for all 
i G [0, k] such that a ai ■■■ o k G Traces T ( V )({(q , _L)}, F x {_L}), and |crj| (7jij< ) < |<7;_i |( T)j)> ) 
for all 7 G T and i G [0, /c] where <r_i = (70,0,0), then there is a state g G F such (7 is 
fc-stratified reachable by M.. 

To this aim, we first show that for every configuration c G (Q x T-p x Loc(.M)) and cr, G 

£*, if there is a run /i(c) =>q-{V) t' f° r some G Conf(V) and the number of occurrences 
of (7, i, <d) in a, is less than the number of pending thread in c with local configuration 
(7, i), then there are d G Conf(M) and a run £=^7-- c ' sucn that: (1) = q' , (2) 

the number of occurrences of (7, i, <l) in o~j is equal to the number of activated threads by 
M. with local configuration (7, i), and (3) the number of created/added threads by M. with 
local configuration (7, i + is equal to the number of occurrence of (7, i + 1, D>) in a{. 

Lemma D. 4. For every i G [0,k], G Conf(V), cG (Q x I> x £oc(.M)) , and Oi G £*, «/ 
S =^y(V) ' > ^( c ) = ? ' an ^ Idle(c)((a,i)) > |o"i|( a)ij< ) /or a// a G r e , f/ien i/iere are Tj G A* 
and c' G (Q x Tp x Loc(TW)) suc/i that: 

(1) M (c0 = 

(2) c=^. }(M) c'. 

(3) Idle(c')((a,i)) = Idle(c)((a, %)) — |o"z|(a,i,<) and 7d/e(c')((a, i + 1)) = Idle(c)((a, i + 1)) + 

ki|(a,i+l,>) / or « e r £ . 

(4) Idle(c')((a,j)) = Idle (c) ((a, j)) for all (a, j) G T £ x [0, + 1] suc/i i/iai j ^ + 1}. 
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Proof. Assume that q ==> t(V)^' f° r some £ G N, fj,(c) = and Idle(c)((a,i)) > \cn\( a ,i,<) 
for all a G T e . The proof is done by induction on £. 

Basis. £ = 0. Then, ? = c', = £• By taking d = c and r< = e, all the conditions of 
Lemma |P.4l are fulfilled. 

Step. £ > 0. Then, there are <rj £ S*, o G S„ and <j" G Conf(V) such that cr, = <r^a and 

°i. it a , i 

We apply the induction hypothesis to ? <j" since Idle(c)((a,i)) > [0t|(a,i,<) > 

l°il(a,i,<) f° r an a ^ r e , and we obtain that there are G A* and c" G (Q x T-p x Loc(.M)) 
such that: 

• m(c") = <r". 

C ^T {l} (A4) C • 

• Idle(c")((a,i)) = Me(c)((a,i)) - |<^|( a)i)< ) and Idle{c"){(a, i + 1)) = Me(c)((a,i + 1)) + 

K\{a,i+i,>) for a11 a G r e . 

• Idle(c")((a,j)) = Idle(c)((a,j)) for all (a, j) G T e x [0,/c + 1] such that j <£ 1}. 

Since we have q" -^TCP) ^'j one °f * ne following cases holds: 

• Case 1: a = (e, i, — ). Then, there are g,g' G Q, 7 G T, and u G T e such that 

(g)(7^)) ^'"^ (^K')). = (9,(7,0)) and = W,(u,i))- Since /i(c") = we 
have State(c") = q and Active(c") = (7, «). Moreover, we have i = (g, 7} —>m{q J > u ) l> e - 
By taking c' = (g', (u, i), Idle(c")), we have c" — >tj(,m) c ' ■ 

Now, we can use the definition of the function /u to show that //(c') = (q',(u,i)) = 

C • Let Tj = Tj't. We can put together the equation c=^/^ c" and the equation 

c" —^%(M) c ' to obtain the following run of T(V): 

c^* T{v) c' (D.12) 

Then, we can use the fact that Idle(c') = Idle(c") and o~i = c£(e, i, — ) to show that the 
conditions 4-5 of Lemma lD.41 are fulfilled. 

• Case 2: a = (a, >) and ^ (Qx ({_L}). Then, there are q, q' G Q, 7 G T, and it G r e 
such that (q, (7,1)) -^-p(q', (u,i)), q" = (q, (7, i)), and = (g', (u, i)). Since /x(c") = 
we have State(c") = q and Active(c") = (7,1). Moreover, we have i = (9,7) -^mW,u) t> 
a. By taking c' = (g', (u, i),Idle(c") + Id^^*), we have c" -^%{M) c ' ■ 

Then, we can use the definition of the function \x to show that /u(c') = (g', (u,i)) = 

<j. Let Tj = Tj'i. We can put together the equation c=^^ M ^ c" and the equation 
c" —>%(M) c ' to obtain the following run of T{V): 

c^* T(v) c' (D.13) 

Then, we can use the fact that Idle(c') = Idle(c") + Idj^f^V* and cii = cr-(a, i + 1, >) to 
show that the conditions 4-5 of Lemma ID. 41 are fulfilled. 

• Case 3: a = (it, i + l,l>) and G (Q x ({_L}). Then, there are q,q' € Q and 7 G T 
such that (g, (7, i)) -^-p(q',±), q" = (q, (7,2)), and = (g', -L). Since /i(c") = we 
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have State (c") = q and Active{c") = (7, i). Moreover, we have t = ((7,7) {q\ u )- By 
taking d = (</, _L, Idle{c") + ld[ ( "' ( ^ } ), we have c" -^n(M) c ' ■ 

Now, we can use the definition of the function /i to show that ^(c') = (q' , _L) = d . Let 

Ti = r-t. We can put together the equation c=^^ M ^ c" and the equation c" -~^%{M) c ' 
to obtain the following run of T(V): 

c^* T{v) c' (D.14) 

Then, we can use the fact that Me(c') = Me(c") + Idfe'JJ* and Oi = a'iiu, i + 1, >) to 
show that the conditions 4-5 of Lemma lD.41 are fulfilled. 

• Case 4: a = (7, i, <). Then, there are q,q' G Q such that (q, _L) -^-p{q', (7, «)), = 
((/,_L), and ^' = (^',(7, i)). Since /^(c") = State(c") = q and Active(c") = _L. In 
addiction, we have Idle{c"){{^,i)) > 1 since ic?/e(c")((7, i)) = Idle(c) — |o"i|( 7 ,i,>), Idle{c) > 
\°'i\('r,i,<)i and l°*l(7,i,<) = l c7 i 'l(7,i,<i) + 1- Moreover, we have i = g <1 7. Then, by 
taking d = (q', (7, i), Idle{c") - Id^'^), we have c" -^ Tl (M) c '- 

Now, we can use the definition of the function \jl to show that fJ-(c') = (g',-L) = d. 

Let r, = r[t. Then, we can put together the equation c ^^\ i {M\ c" and the equation 
c" —>%(M) c ' to obtain the following run of T(V): 

c^* r{P) c' (D.15) 

Then, we can use the fact that Idle(c') = Idle(c") — ldj^'/J^\ and Oi = 0^(7, i, <) to show 
that the conditions 4-5 of Lemma lD.41 are fulfilled. □ 

Now, we are ready to prove the if direction of Lemma |D.4[ 

Lemma D.5. There is <7j G S* for all i G [0, k] such that oqo~i • • • G Traces-]-^ ({(qo, -L)}, 
F x {_L}), and |o"i|( 7 ,i,<) < l°i-i|(7,i,[>) f or all j £ T and i G [0,k] with o~-\ = (70,0,0), 
then there is a state q G F such that q is k-stratified reachable by A4. 

Proof. Let us assume now that there are a% G S* for all i G [0, k] such that cxoci ■ ■ ■ Ok G 
Traces7-(-p)({(go, -L)}, ^ x {-L}), and |ci|( 7 ,i,<) < l°*i-i|(7,i,>) f° r all 7 G T and i G [0, fc] with 
cr_i = (70, 0, >). Then, there are $0, ?1> • • • > Sfc+l S Conf(V) such that: (i) ?o = (<7o> -L) and 
<3k+i G -F x {^}, and (ii) we have the following run of T(V): 

Then, we can apply Lemma lD.41 to fi(c'j$) = ?o =^7"('P) ?1 ' ana - ^ e ( c> M )(( a > 0)) — 
I CT o I (e»,o,<) f° r an a e r e , to prove that there are ro G A* and c\ G (Q X T-p x Loc(A4)) such 
that: 

• M(ci) = ?i- 

i nit * 

• C A4 ^T {0} (A4) C 1- 

• Me(ci)((a,0)) = Idle(d$)((a,Q)) - |cr |( aA <) and Idle(ci)({a, 1)) = |ct"o I C«,l,i>) for all 
a G T e . 

• Me(ci)((a, j)) = 7dZe(c^ t )((a,i)) = for all (a,j) G T e x [0, fe + 1] such that j ^ {0,1}. 
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Now, we can apply Lemma fD.4l to /u(ci) = <fi, ?i ==^7-^) ?2 , and Idle(ci)((a,l)) = 
l°"o|(a,i,t>) — l^i I (ck,i,<]) f° r all ol G r e , to show that there are t\ G A* and C2 G (Q x T-p x 
Loc(A^)) such that: 

• M(C2) = ?2- 

• Cl ^r {1} (A4) c 2- 

• Idle (02) ({a, 1)) = Idle(ci)((a,l)) — l^x I Cck,i,o) and Idle(c2){(a, 2)) = |ci|( a2 ,>) f° r all 
a G T e . 

• Idle(c 2 )((a,j)) = Idle(cx)((a,j)) for all (a,j) G T e x [0, + 1] such that j <£ {1,2}. 

So, we can apply step by step Lemma ID. 41 to prove that there are r , . . . ,Tp, G A* 
and co,ci, . . . , c^+i G (Q x T-p x Loc(Ai)) such that: (1) cq = c']$, (2) /u(cj) = q for all 

i G [0,fc + l], and (3) c =^- {o}(M)Cl •■■ ^f { *_ x} (A<) c * =^f w (A<) c *+i- 

Moreover, we have State(ck+i) G F and .<4ciwe(cfc+i) = _L since $k+l G F x {_!_} and 
jit(cfc + i) = This implies that State(ck+i) G F is A;-stratified reachable by A4. □ 

Lemma 14.41 is an immediate consequence of Lemma ID. 31 and Lemma ID. 51 □ 

Appendix E. The proof of Lemma 15731 

The proof of Lemma 15.31 is structured as follows: First, we establish the relation between 
a computation of a thread of M.f s and a run of «S( g , 7 )- Then, we give the relation between 
a computation of a thread of A4 and a run of Vi q ^y Due to the link between the set of 
runs of "^(5,7) and the set of runs of Ar q ^-\, these two relations permit us to construct for 
every thread computation of Ai an "equivalent" thread computation of Mf s and vice- versa. 
Then, we consider a DCPS which is the union of A4 and A4f s in the sense that for each 
thread T with initial configuration 7 G T, Au chooses in nondeterministic way to execute 
the thread T following the transition relation of Mf s or the transition relation of M. 

Afterwards, we define the rank of a run of from the initial configuration cJJJJ by 
the pair (m, n) G N x N where m is the number of threads involved in the run following the 
transition relation of Ai and n is the number of threads involved in the run following the 
transition relation of Aif s - Observe that runs of rank (m, n) where n = (resp. m = 0) 
are precisely the runs of Ai (resp. Mf s ). Then, we prove that for any computation of .My 
(from the initial configuration c']$ ) of rank (m + l,n) (resp. (m,n + 1)), there is a run 
of An of rank (m,n + 1) (resp. (m + l,n)). This run is obtained from the original one 
by replacing a thread that follows the transition relation of Ai (resp. Aif s ) by a thread 
that follows the transition relation of A4f s (resp. Ai). This is possible since any thread of 
Ai\ s can be simulated by a thread of Aif s and vice-versa. As an immediate consequence of 
the following result is that, for every m G Ai, a state q is fc-bounded (resp. /c-stratified) 
reachable by a run of Ai\j of rank (m, 0) (i.e., a run of A4\ s ) if and only if it is fc-bounded 
(resp. /c-stratified) reachable by a run of Aiyj of rank (0,m) (i.e., a run of A4f s ). This is 
precisely what Lemma IST31 says. 

E.l. The language of finite state automata Au^y In the following, we establish the 
following property about the finite state automata A( q ^y 
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Lemma E.l. Let i < k. If there are elements ao,...,(Ti G T* , 70,..., 7, G I\ q G r e; 
9o,Po,9i,- ■ ■ ,Pi, 9i+i G Q; «o G ^(90,7)' and s G ^(so.t) suc/i ^ 

^o(Po,7i,ffi)^i ' ■ ■cri-i(Pi-i,7i,fl , iVi(Pi,«,5i+i) G IVaces r (^ (go 7) )({s }, {«}), 

i/ien 

^o(Po, 71,51)^1 • • ■ Vi-i(Pi-i,Ji, 9i)vi{Pi,£, 9i+i) G L(^( 90j7) ). 

Proof. Since all the states in the automaton *4( 90i7 ) are co-reachable from the final states, 
in particular the state s, there is v G X* such that: 

<7o(Po, 71)51)01 • ■ ■ o-i-i(pi-i,ji, gi)o-i(pi,a, g i+1 )v G L(.A( 90;7 )) 
This implies that there are a' , . . . , a\ G T* and 1/ G X* such that: (1) 07 ^ 07' for all Z G [0, i], 
(2) v <v' , and (3) we have: 

o"obo,7i,5'i)c r i • • ■o-' i ^ 1 (pi-i,ji,gi)a' i (pi,a,g i+ iy G L{V {gon) ) 
Now, we can use the definition of P( go ,j) to show that we have: 

o-o(po,li,gi)o-[ ■ ■■o-' i _ 1 (pi- 1 ,ji,g i )a' i (pi,€,g i+1 ) G L{V {goa) ) 

In addition, we can show that a' Q (p , 71, ffiM • ■ ■ cr-^pj-i, 7;, ft )<7 ■(?>», e, ft+i) G £(( 90j7 ) )i+ i) 

since i < fc. This implies that a (po, 7i> ft) ! ■■■ o"i-i(Pi-i, 7i> 9i)°~i{Pi, e, 9i+i) G L(.A( 90j7 )) 
since 07 ^ cr| for all / G [0, i]. □ 



E.2. The relation between the DCFS Mf s and the FSA A^y In the following, we 
establish the link between the set of runs of a thread of Mf s without a context switches and 
the language generated by the finite state automaton A( qn ). 

Lemma E.2. Let j G N, s,s' G Sg", and Val, Val' G [Loc(M fs ) -»■ N]. T/iere is t € A* s 
such that (t,(s,j), VaZ)==^^- . (x f ) (tt>( s ''i)' ^ + VdZ')) i/ and onZy i/ there are q G Q, 

7 G T ; and o" G T* snc/i f/iaf S= =^q-{A( ) s '> ^''((ViJ + 1)) = I^It' / or a ^ 7' G I\ and 
VaZ'((n/, /)) = /or a// w G r£ and Z G N such that (w, I) £ T x {j + 1}. 

Proof. The Only if direction: Assume that there is r G Aj? s such that (fj,(s,j), Val) ==>■ 
TuyiMfs) (tt) ( s ')i)' ^ + VdZ')) for some n G N. We proceed by induction on n. 
Basis, n = 0. Then, r = e, s = s' , and VdZ' = 'd^^ x. Since s G <Sf™, there is g G Q 
and 7 G T such that s G S^y By taking er = e, we have s=>^_ /l( ) s', Va/'((7 / ,j + 

1)) = |o-| y = for all 7' G T, and Va/'((ti;,Z)) = for all w G r£ and Z G N such that 
(w,l) ^fx + 

Step, n > 0. Then, from the definition of Mf s , there is r' G A£., i G A fs , s" G S^" 1 , and 
Val" G [Loc(A4 fs ) -> N] such that r = r't, and: 

VaZ) ^ r{ . }(Ms) (tt,( S ",i), VaZ+ Val")) -^ T{j}{Mfs) ^(s',j), Val + Val')) (E.l) 
We apply the induction hypothesis to (ft, (s, j), VdZ) r > 7- i(tt> (s",j), Val + Val")), 

n—l 1"^ ; 

and we obtain that there are q G Q, 7 G T, and cr' G T* such that s==»i-,.,d -1 s ") 
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Val"((j',j + 1)) = My for all 7' G T, and Val"({w,l)) = for all w G r? s and Z G N such 
that (w,l) £ T x {j + 1}. 

In addition, from the definition of A4f s , t is necessarily of the form ({J, s'} — >m{§> s> ) 1> a 
with a G r. This implies that s' G S( g )7 ) and s" -~^"M (g , s'. Moreover, we have VaZ' = 

VaZ" + Id^'/^J^. Then, by taking a = cr'a, we can show (using the induction hypothesis) 

that 8 =^^ A j a', VoZ'((V,j + 1)) = |o-|y for all 7' G T, and VaZ'((n;,Z)) = for all 

w G r; s and Z G N such that (w, I) (£ T x {j + 1}. 

T/ie // direction: Assume that there are q G Q, 7 G T, and cr G T* such that s =>■ T(.4 (g s' 

for some n G N, VaZ'((7',j + 1)) = for all 7' G T, and FaZ'((w,Z)) = for all 10 G T% 
and Z G N such that (w, I) £ T X {j + 1}. We proceed by induction on n. 

Basis, n = 0. Then, s = s' and c = e. By taking r = e, we get (ft, (s, j), VdZ)=^- . (x fe ) 

(t (s',j), Val + VW')) since Val' = \d\ oc[Mk) . 

Step, n > 0. Then, there are s", a' G T*, and a G T such that cr = cr'a, and: 

g_ , 11 a. 1 /n o^ 

s ^zf ^t(a 9 , 7) ) s ( E - 2 ) 

Let VaZ" G [Zoc(A4) -»• N] such that , Val"((^',j + 1)) = |er'|y for all 7' G T, and 
VaZ"(0, Z)) = for all w G Tf s and I G N such that (w,l) £ T x {j + 1}. Then, we 

apply the induction hypothesis to s = > T(A {qi) ) s " an d Val", and we obtain that there is 
r G A* 5 such that (ft, (s, j), Val)^* T{ (ft, (s", j), VaZ + VaZ")). 

Since s" r(^ (q s 'i we have t = (jj, s")— >_A^ fs ((J, s') > a. Then, using the induction 

hypothesis, we can show that (ft, (s,j), VaZ)=^=>^ . (M f ) ( s ''^)' ^ + ^O) with r = r'i 

since we have Val' = Val" + ld£'/^H } . □ 

Next, we use Lemma fE.2l to establish the relation between the set of languages accepted 
by the finite state automata Ar q ^ and the set of runs of Aif s between two configurations 
with no active thread and without context switches. 

Lemma E.3. Let j G N, Pl ,p 2 G Q, Ai G (5^UT), A 2 G ^ s w , and VaZ G [ioc(Aifc) -> N]. 
Taere lS r G A* s snca that \r\ > 1 and j_, Id^i))^^^) (**, -1, Val+\d[[ X ^ } ) 
iff there are q G Q, 7, 71 G T, a G r e , p^,^ G Q, s, s' G Sr q i \, and a G T* sucZi Z/iat - 

• Pi ^Atf, P[ < Ai, Ai = (p[, (s, 71)) i/ Ai G S| s w , and p' x = g and s G J(g >7 ) if Ai G T. 

o-(P2,«,p' 2 ) * / J \ / / f I \\ 

• s : 'r(^ ( , 7) ) s an " A2 = \P2,( S )«))• 

• VaZ(( 7 ', j + 1)) = |cr| y /or aZZ 7' G T. 

• Val((w, I)) = /or aZZ w G and Z G N such that (w, I) T x {j + 1}. 

Proof. The Only if direction: Assume the existence of some r G A^ s such that |r| > 1 

and (PI,±M£$J =^T {MMfs ) ^ + W^aS")- Then ' from the definition of 

7{j}(A^f s ), there are q G Q, 7, 7i G T, p' x G Q, r' G Af s , s, s" G Sig^, and <r G T* such that: 

• (Pi» ^ ld i£(^I)) -^^(Mft) (Pi. such that * = Pi Pi < A i- 



11 



• W ) ( A i>i) ) |d L(M ft ))-^r O} (M fs )(ti ) (s,i) ) ld0 oc(Mft) ) with t' = (pi.Ai) ^A4 fs (tt,a> > e, 
Ai = (p'd ( s > 7i)) if Ai £ -Sf s w , and p'i = 9 and s G I( 9i7 ) if Ai G I\ 

• (tt, ld L c (A4 fs ))=^r 0} (A4) (tt> ( s "'i)' ^0- Then > we apply Lemma[K2l and we obtain 
that there is a G T* such that s==^7-(_4 ( VoZ((Y,j + 1)) = [crjy for all f 6 T and 
Val((w, I)) = for all w G Tf s and I G N such that (w, I) ^ T x {j + 1}. 

. 7aO-^ Tfa} (M) (P2.-L, ^ + | di ( A c 2 (5 s ) )} ) withf ' = ^ 2 ' A2 ^ From 

the definition of A4f s , this implies that there is p' 2 G Q, s' G SVg l7 ), and a G r e such that 

a" (p2 ' a ^ } > s' and A 2 = (p 2 , (s', a)). 

This terminates the proof of the Only if direction. 

The If direction: Assume that there are q G Q, 7,71 G T, a G r e , p'^p^ € Q, s, s' G <5( gj7 ), 
and a G r* such that: 

• t = pi ^ M Pi < Ai, Ai = (pj, (s, 71)) if Ai G 5f s w , and pi = g and s G I( 9)7 ) if Ai G T. 

• S :> r(^ ( , 7) ) S aIld A 2 = (^2,( s )«))• 

• Val{{i,j + 1)) = |cr|y for all 7' G T. 

• Val((w, /)) = for all w G Tf s and I G N such that (w, I) <£T x {j + 1}. 

Then, from the definition of T(A4f s ), we have the following run: 

(Pi. ld i ( A c(5I)) -^rwCM*) (^i. (Ai, j), l d L(M ft) ) ( E - 3 ) 
Let i' = (p' 1; Ai) i->-jWft (tt> s ) l> e - Then, we have the following run of Tij\(Aif s ): 

(Pi. (Ai, J), ' d L(A. fs) ) -^r w( M fe ) (tt, j), «LW ( E -4) 

Let s G S^-y) such that s=^-^ and s 2 > T(.4( g 7 )) s '- Then, we can apply 

Lemma |E. 2|, to prove that there is t' G Af such that: 

(tt, (', j), \<oc {Mh ))^T {3} (M) (tt, («", J), VW) (E.5) 

Since s" ^ P2,a ' P2 ^ > -7-^ 7 )) g/ , we have (tt, s") ^M fs (P2,A2/- This implies that 7|j}(A4f s ) has 
the following run: 

(II, (Ai), Val)^ T{ . }{M) (p 2 ,±, Val + \d[[ X ^) (E.6) 
This terminates the proof of the If direction. □ 



E.3. The relation between the DCPS M and the PDA Vop^y In the following, we 
establish the link between the set of runs of a thread of Ai and the language generated by 
the pushdown automaton P( ?l7 )- 

Lemma E.4. Let j G N, q G Q, 7 G T, pi,p2 G Q, wi,w 2 G T* , and Val, Val' G [Loc(M) -> 
N]. There is r G A* suc/i i/tai (pi, Va/)=4>^ . (x) (P 2 ' ( w 2, j), Vai + VaZ')) /or some 

iff there is a G T* suc/i i/iai (pi,u;i)=>p/ 7 )(P2, ^2), + 1)) = l "^' / or a ^ 7' £ L, 

and Va/'((u;, /)) = for all w G T £ and I G N such that (w, I) £T x {j + 1}. 
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Proof. The Only if direction: Assume that there is r <G A* and some n G N such that 
(pi, (wi,j), Val) ==> (p2, (w2,j), Val + Val')). We proceed by induction on n. 

" r {j} (M) 

Basis, n = 0. This implies that p\ = p2, w\ = W2, t = e, and Val' = 'dfw^. By taking 

a = e, we have (pi, wi)==^-p^ q ^(p 2 , W2), Val' '((7', j + 1)) = \o~\y = for all 7' G T, and 
VaZ'((«;, /)) = for all w G T e and I G N such that (w, I) £T x {j + 1}. 

Step, n > 0. From the definition of M, this implies that there are p G Q, G T*, 
VaZ" € [Loc(M) -> N], r' € A*, and te A such that r = r'i and: 

(Pi, (wi,j), Val) ==> T{j} (M)(Pi ( w iJ), Vol + Val") r {j} (M)(P2, (w2,j), Val + Val') 

(E.7) 

We apply the induction hypothesis to (pi, (wi, j), Va/)=>^- . (^)(p, (Vi,j), Va/+VaZ"), and 

we obtain that there is o"' G T* such that (pi, wi)=>y^, ^(p, w^), VaZ" ((7', J + l)) = |c'| 7 ' 

for all 7' G T, and Val"((w, I)) = for all w G T e and Z G N such that (w, I) £ T x {j + 1}. 

In addition, from the definition of A4, the transition £ is necessarily of the form 
(p>7i) "^Al (P2,u) > a with 71 G T and a G r e such that = 71 w and u?2 = wi; for 
some v G T*. This implies that (p, 71) -^>p (9i7) (P2, «), and so, (p,w'i) -^T(r (qtl) ){P2, w i)- 
Moreover, we have VaZ' = VaZ" + 'd^'/^N^- Then, by taking a = a' a, we can easily show 

(using the induction hypothesis) that (pi, w^i)=>p(q i7 )(p2, 1^2), Val'((^' ,j + 1)) = \a\y for 
all 7' G T, and Val'{(w, I)) = for all w G T e and Z G N such that (u>, Z) £ T x {j + 1}. 

The If direction: Assume that there is a G T* such that (pi,iwi) => (P2> w 2), 

Val'({i,j + 1)) = |cr|y for all 7' G T, and VaZ'((ti;, I)) = for all w G T e and Z G N 
such that (tu, () ^ T x {j + 1}. We proceed by induction on n. 

Basis, n = 0. This implies that p\ = P2, i^i = 0" = e, and Val' = Id^,^). By taking 
r = e, we have (pi, (wi, j), VaZ)^>^. }( _ M) (p 2 , (u> 2 , j), VaZ + VaZ')). 

Step, n > 0. Then, from the definition of P(g )7 ), there are p £ Q, w[ G T*, <r' G T*, and 
a G r e such that <r = a'a, and: 

(Pi.wi) =f r(P(,, 7) )(pVi) -^T(V (qn) )(P2,w 2 ) (E.8) 

Let VaZ" G [Loc(M) -> N] such that VaZ"((y, j + 1)) = |cr'|y for all 7' G V, and 
VaZ"((u/, Z)) = for all w G T e and Z G N such that (w, I) ^ T x {j + 1}. 

Then, we apply the induction hypothesis to (pi,w\) ° > f/-p )(p, w[) and Val", and 

we obtain that there is r' G A* such that (pi, (u/i, j), VaZ)=^=>^ . (p, (w[,j), Val+ Val")) 
Since (p, w'-^ -^+t(V t qi )){P2i w 2)i there are elements 71 G T and u G T* such that £ = 
(p>7i) ~^m(P2,u) > ci) f^i = 7i^5 and ^2 = "uv for some u G T*. Then, using the induction 
hypothesis, we can easily show that (pi,(wi,j), ^ a 0=^r { } (A1) (P2>( w 2,j), Val + VaZ')) 
where r = r't. □ 
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Next, we use Lemma [E.4l to establish the relation between the set of languages accepted 
by the pushdown automata Vi q ^\ and the set of runs of M between two configurations with 
no active thread and without context switches. 

Lemma E.5. Let j G N, q G Q, 7 G V, pi,p 2 G Q, W\ G V* , and Val G [Loc(M) ->■ N]. 
There is r G A* such that \r\ > 1 and (pi, _L Jd^^|)=^^ ■ (M) C?' 2 '-'-' iff there are 
p[ G Q, 71 G T, w 2 G r*, a G T* ; Va/' G [Loc(M) ->• N] suc/i i/iai: 

• Pi 1 — ^"A4 Pi O 71 an <^ ^1 = 71^1 f or some v\ G Y* . 
. Val=Val' + \dpl^\ 

• (p\ , Wi) = ,V ^) '* ( \{p'o,w 2 ) for all p' 2 G Q a G r e suc/i i/iai w 2 = av 2 for some 
v 2 £T*. 

• Val'{{i,j + 1)) = \a\y for all 7' G T. 

• Val'((w, I)) = for all w G T e and / G N smc/i i/iai (w, I) <£T x {j + 1}. 

Proof. The Only if direction: Assume that (pi, _L, ld^^|)=»^- (p2 5 -L, VaZ)) for some 
r G A* such that |t[ > 1. Then, from the definition of T^{M), there are Pi,p' G Q, 
71,72 G T, w 2 , u G T*, t' G A*, VaZ' G [Loc(M) -> N] such that: 

• (Pi'-L'^ii^) 1 )^^,}^) (p'D^i^OJdLcCM)) such that 1 = P 1 Pi < Ti- This 
implies that u;i = 71^1 for some v\ G T*. 

(wi, j), ^ t L 0C (M)^ = ^T{ j }(M) ■?')> ^')- Then, we can apply Lemma [EH to 

show that there is <r G T* such that (p[, Wi)=^pr q 7 ) (p'> w ' 2 )i Val'((j' ',j + 1)) = \a\y for 

all 7' G T, and Va/'((w;, I)) = for all w G T £ and Z G N such that (to, I) <£ T x {j + 1}. 

. (p',(w' 2 ,j), Val') Ar^^Cpa.LJd^^+VaO such that: (1) VaZ = ld^ } 1} + Vai', 

(2) i' = (p',72) i-».m {P2-,u), and (3) u; 2 = 721* and W2 = ut> for some t> G F*. Using the 

definition of P( g ,<y), we have (p',w 2 )= P2 ' '^^ p^ y\ip' 2 i w 2) for all p 2 G Q and a G r e such 
that w 2 = av 2 for some v 2 G T*. 

This terminates the proof of the only if direction of Lemma IE. 51 

The If direction: Assume that there arep^ G Q, 71 G T, 7i>2 G T*, a G T*, Va/' G [Loc(M) — >• 
N] such that: 

• i = pi Pi < 71 and Wi = 71 «i for some t>i G T*. 

. ^=^' + id£^>. 

• (pj, wi)=^==^>|,^ 7 )(P2; ^2) for all p' 2 G Q and a G r e such that w?2 = 0^2 for some 

v 2 g r*. 

• Va/'((y, j + 1)) = |o-| 7 , for all 7' G T. 

• Val'((w, I)) = for all w G T e and / G N such that (w, I) <£T x {j + 1} 

Since t =i^m Pi <1 71 and t^i = 71^1 for some v\ G T*, we have the following run of 
T {j} (M): 

(Pi. ld E(^) } ) ^ r 0} (A4) (Pi, IdL(M)) (E-9) 
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Let p' G Q and w' 2 G T* such that (p\, w%)=^j, } (p', w' 2 ) and (p', u;^) ( - P2,<; ' P2 ^ > ^ ^ (p' 2 , u> 2 ) 
for some p 2 G Q. Now 
is r' G A* such that: 



for some p' 2 G Q- Now, we can apply Lemma[K4]to (p[, 117)=^=^ ^ (p' , w[) show that there 



(p'l,(wi,j)M oc(M ))^r {j} (M) (P',(^2,j), Val') (E.IO) 

Since (p',w' 2 ) ^ P2 ' e ' P2 ^ > j, (p 2 , u> 2 ), we can use the definition of V^ q ^, to show that there 

are 72 G T and u G T* such that i' = (p', 72) | — ^Al (P2,u) such that w 2 = 72^ an d u>2 = nu 
for some uGF, So, Tj(A4) has the following run: 

(p'> 2 ,i) 5 A r{j}( ^ ) ( P2 ,±,ld^ ) 1} + Val') (E.ll) 

Now, we can put together Equation IE.91 Equation IE. 101 and Equation IE. Ill and we obtain 
that (p!, J_, Id^^^^j (pz, VW) with r = tr't'. □ 

E.4. From the DCPS to the DCPS M p f. In order to be able to distinguish between 
pending threads of A4 that has been activated at least one time from the other ones, we 
need to define a DCPS Ai p f (which is just a copy of M) that uses, in addition to the stack 
alphabet T, a new stack alphabet F, which is a copy T, to process threads. Let F be a stack 
alphabet such that r'nTfs = and there is a bijective function f from T to F. This function 
f is extended to words over T in the natural way: f(e) = e and f(u ■ v) = f(u) ■ f(v) for all 
u,v G r*. Moreover, we define the function h from T p f to T such that [1(7) = h(f(7)) = 7 
for all 7 € r. The function h is extended in the usual way to words. 

In the following, we define the DCPS A4 p f obtained from M. by using F to process 
threads instead of T. Let M. p f = (Q, T p f , A p f , qo, 70, F) be a DCPS where T p f = T U F and 
A' f is the smallest transition relation satisfying the following conditions: 

• Initialize: For every q G Q and 7 G T, we have ((7,7} — >M p f {l-> f (7)) » e - 

• Spawn: For every ((7,7) -^m{q't u ) l> a j we have (9, f(7)) — >A4 pf (<?') f( w )) > a - 

• Interrupt: For every ((7,7) {q',u), we have (g, f (7)) ^M pf WiK u ))- 

• Dispatch: For every g 1—^ g' < 7, we have (7 ^Afpf l' <1 7 an d 9 ^Atpf </ <1 f(7)- 

Then, the relation between a thread execution of .A4 and a thread execution of A4 p f is 
given by the following lemma: 

Lemma E.6. Let j G N, pi,p 2 G Q, w\ G ((F)* U T), nj 2 G (F)*, Val G [Xoc(A4) -> N], 
and Val' G [Loc(-M p f) -> N]. There is t' G A* f such that 

i/ and on/y z/ there is r G A* swc/i i/iai 

(Pi, -L, ld Loc(A4pf) ) =>r j (M) IP2, -L, Ka/ + ld ioc(>1pf) ) 

and Va/'((7',j + l)) = Val((i,j + 1)) for alii G T, and VaZ'((w',Z)) = VaZ((w,i)) = for 
all w G T*, w' G r* f , and I G N suc/i t/iat (w,l), {w',l) x {j + 1}. 

Moreover, we can show that the BSR[/c] problem for M is reducible to its corresponding 
problem for M. p f. 
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Lemma E.7. For every k G N, a state q € Q is k-bounded reachable by A4 if and only if q 
is k-bounded reachable by M p f. 



E.5. From the DCPS M pf and the DCFS M fs to the DCPS M u . We define the 
DCPS Mij = (Qui Ty, Ay, qo, 70, F) as the union of M p f and Mf s where: (1) Q\j = Qf s , 
(2) T\j = T p f U Tf s is a finite set of stack symbols, and (3) A u = A p f U Af s is the transition 
relation. 

Now, we are ready to define the rank of a run of T(M\j)- Intuitively, the number of 
threads that are simulated according to Af s (resp. A| s ) is given by the number of pending 
threads with stack configuration in S™ x N (resp. (r')* x N). Formally, we have: 

Definition E.8. (The rank of a run of Myj) Let p = c> M u ^^'j- ok ^Mu) c ' 3e a run °^ 
7jo,fc](-Mu) such that Active(c) = _L. The rank of p, denoted by rank(p), is defined by the 
pair (m,n) with m = E(i«,j)e(r')* xN Idle(c)((w,j)) and m = E(A,j)eSf»xN Me(c)((A, j)). 



E.6. From a run of rank (m + l,n) of Ai u to a run of rank (m,n + 1) of .My in 

the following, we establish that given a run of Mu such that there is one thread executed 
following the set of transitions A p f, we can compute a run of Mu where the execution of 
this thread is replaced by an execution of a thread following the set of transitions Af s . To 
this aim, we need first to prove Lemma fE.9w hich states that for any run of a thread of A4 p f , 
we can construct an equivalent run of a thread of Mf s - 

Lemma E.9. Let 7 G T and i,j G N such that i + j < k. If there are po,p' , ■ ■ ■ ,Pi,p'i G Q, 
w\, . . . , Wi + \ G (T')*, 7*0, ... ,73 € A U; and Val' , . . . , Val\ G [Loc(Mu) — > N] such that: 

• lPo,^,ld ioc(7Wu) )^ r{i}(Mu) (p ,I_, Val Q + \d Loc{Mu) ). 

• tor every i G [Mb ->-> ia Loc(Mu) '^^^^{M^Pl' val l ^ ia Loc(M u ) >' 

Then, there are Ai, . . . , Aj+i G S™ and Tq, . . . , t[ G Ay such that: 

• (PC W^u,)^^)^ J- + ld i^t) } )- 

. For every I G [l.i], (p,, ± , W^/jA^^^, J., VWJ + U^f™). 

Proof. Let us assume there are f>o>£>0' • • • )Pi>Pt e Qj w U ■ ■ ■ j £ (r')*> r o> • • • j T i G A U; 
and Va/g, • • • , VaZj G [Loc (Mu) -> N] such that: 

• (po^Jd£^ u) )^ {j}(A4u) ( P ' ,±, ^ + id£- + u 1 ) )} ). 

. For every i G [1,4, ( Pl , 1, Idg^^^^W, ±, VWJ + ld£^ +1)} ). 

From now, we confuse the system .My and -Mpf (resp. TWy and Mf s ) when TWy behaves 
according to the set of transitions A p f (resp. Af s ). 

Then, we apply Lemma IE. 51 and Lemma IE. 61 to show that there are o~q, . . . , ai G T* , 
7o, . . . , 7i G T, and go,..., gi+i G Q such that: 

• 7o = 7- 

• For every / G [0,i], p 2 ^ Mu 9l < ll- 

• o- (p' ,j!, gi)a! ■ ■ ■ ai-^p^ji, g^aiirt, e, g i+ i) in L (( So ,7),i+i)- 

• For every I G [0,i], Fa^CY, j + / + !)) = \o~i\y for all 7' G I\ 
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• For every I G [0,i], Vali((w,l)) = for all weTy and Z G N such that (w,l) <£ T x {j + 
Z + l}. 

Since £( (ff0i7 ) ii+ i) C L(.A (s0)7) ), there are s ,...,s»+i G S'( ff0)7 ) such that: (1) s G i"( go , 7 ), 

(2) ==> T(^ (g[) 7) ) S/+1 for a11 1 G L ' *U and ( 3 ) s » T(^(a 7 )) Si+1 ' 

Let A; = (g h (s h ji)) for all Z G [1, i] and A i+ i = (g i+1 , (s i+1 ,e)). Since p z ^ Mu g t < 7/ 
for all Z G we can use the definition of Aif s to show that 9l ^ ^Z f° r an 

ZG[l,z]. 

Now, we can apply Lemma lE.2l to prove that there are tL...,t! G Ay such that: 
« (PD, ^ WE^))^,^)^, ^aZ' + ld^ )} ). 

. For every Z G [1, fa, _L, W^jff/) A^ }(jMu) W, ^ VW| + ldi^|' +1)} ). 

□ 

Next, we show that if some state g is Zc-bounded reachable by a run of M\j of rank 
(m + 1, n), then g is Zj-bounded reachable by a run of of rank (m, n + 1). 



n) smcZi 



Lemma E.10. LeZ (m,n) G N x N, c a? u = ' > t (JWu) c be a run of rank (m + 1, 

ZZiaZ Active(c) = _L. Then, there is a run ^m u = ^j- k (Mu) c ' °f ran ^ ( m > n + 1) su eh that 
Active(c') = _L, and State(c') = State(c). 

Proof. Let us assume that c m u = ^'t k (Mo) c * s a run °^ ram<; ( m + n ) with Active(c) = 
_L Then, by the definition of DCPSs there are i,j G N, 7 G T, po,p' , ■ ■ ■ ,p^,Pi+i G 
Q, G (r')*, K ,r ,Ki,ri,...,Tj,Ki + i G A y , and Val , Val' , . . . , Va/-, VaZ^+i G 

[Xoc(7V4u) ~~ * N] such that the following conditions are satisfied: 

• i + j ' < k. 

• T = KoToKm ■ ■ ■ TiK i+1 . 

. State(c) = p i+1 and Idle = Vah + ld£[£^ +1)} . 

• *=^7jb fc]C Mu)(P0. 1 ' ™° + ld wU u) )- 

• (PC 1, ld£^ u) )^ O}(A , u) (P , Va/'o + ld£##>). 

• For every / G [1, i + 1], (p^.-L, VW^j + Vaij_i)=^ o fc](Mj) (pj, -L, Voij)- 

. For every I G fe^Jd^^^^^.i, ^ + ld£-^ +1 »). 

Now, we can apply Lemma IE, 91 to show that there are Ax, ... , G S™ as well as 
Tq, . . . , t[ S A y such that: 

. For every I G [1, i], (p, , J_, Id^^)^^^,^, ±, FaZ| + IdJ^^). 

Then, we can use the definition of DCPSs to show that there is a run c'Ju =^S- , kA x c' 
of rank (m,n + 1) such that Active(c') = J- and State(c') = State(c). □ 
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E.7. From a run of rank (m, n + 1) of to a run of rank (m + l,n) of Mij. In 
the following, we establish that given a run of Mu such that there is one thread executed 
following the set of transitions Af s , we can compute a run of Alu where the execution of 
this thread is replaced by an execution of a thread following the set of transitions A p f. To 
this aim, we need first to prove Lemma |E. Ill which states that for any run of a thread of 
A4f s , we can construct an equivalent run of a thread of A4 p f . 

Lemma E.ll. Let 7 G F and i,j G N such that i + j < k. If there are po,p' , ■ ■ ■ ,Pi,p\ £ Q, 
Ai, . . . , Aj+i G 5™, Tq, . . . , r[ G A U; and Val' , ... , Val\ G [Loc(Mu) -+ N] such that: 



. For every I G [ M ], (Pl,±, W^/jA^^jW, VaZj + ld^|' +1)} ). 

Then, there are elements w\, . . . , u>i+i G (r')*, To, ■ ■ ■ , 73 G Ay, and Val$, . . . , Val" G 
[ioc(A y fu) — >• N] swc/i t/mt: 

. For ever, Z G [1, i], ( Pl , ±, Id^^)^,^, ft, 1, V< + ld£^ +1)} ). 

• For every Z G [0,i], VW{ < VaZ". 

Proof. Let us assume that there are po,p' , ■ ■ ■ ,Pi,p\ G Q, \%, . . . , Aj+i G Sf™, Tq, . . . , t[ G 
Ay, and VaZ , . . . , VaZ- G [Loc(Xu) -> N] such that: 

• (^^Jd£^ u) )^ {j}(A4u) (p' ,x, ^ + id«^t) } )- 

. For every I G [1, i], {p h ±, Id^Jff/)^^^)^, J-, ValJ + ld{^* +1)} ). 

Then, we apply Lemma IE. 21 to show that there are o"o, . . . , <7j G T*, 70, • • • , 7t G T, 
a G T e , go,... ,gi+i G Q, s G I( fl0l7 ), and s G 5*( 90i7 ) such that: 

• 70 = 7. 

• For every Z G [0,i], pi 4^ 9l < ll- 

• c r o(Po>7i ) 5i)o"i---o-j_i(^_ 1 ,7 i ,5r i )o-i(p-,a,gi + i) in IVacesj-^ >7) )({«o}, {s})- 

• For every Z G [0, i], ^((7', j + I + 1)) = (07 | 7 ' for all 7' G T. 

• For every Z G [0,i], Val'^w, I)) = for all w G r y and Z G N such that (io, I) £ V x {j + 

On the other hand, we can use the Lemma IE. II to show that 

0o(Po> 7i> •• -o-i-i(Pi-i,7i> 9i)<r%(Pi,z,9i+x) G L(^l (50i7) ). 

Now, we can use the definition of L(A( go ^) to show that there are o~' , . . . , G T* such that 

0o(Poi7l»0l)oi ' •• cr i-i(K-l>7i,3iX(Pi,e,5i+l) G L (( 90l7 ),i+i) and 0/ ^ °t for a11 1 e [M- 

Then, we can apply IB~5l and Lemma TE.6I to prove that there are wi, . . . ,u>j+i G (r')*, 
T ,... ,n G Ay, and VaZ ', . . . , VaZ" G [Loc(7Wu) N] such that: 

• bo, 1, IcI^J^CMu)^, ^ ™S + Id^+f ). 

. For every Z G [1,,], (r,±, ld£5^ } )^>f ft+I}(JMu) (p(,-L, Val'/ + ld£^ +1 »). 

• For every I G [0, i], VaZj < VWf. 

• For every Z G [0,i], Vblf ((Y, j + 1 + 1)) = \a[\ Y for all 7' G T. 

• For every Z G [0, i], VaZ" ((«;, I)) = for all w G and Z G N such that (u>,Z) £ 

rx{j + i + i}. □ 
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Next, we show that if some state q is /c-bounded reachable by a run of of rank (m, n+1), 
then q is fc-bounded reachable by a run of Mu of rank (m + l,n). 

Lemma E.12. Let (m,n) E N x N, c Mu^^T[ k ]{Mu) c be a run of rank (m,n + 1) such 

that Active(c) = X. Then, there is a run c Mu^^T k (Mu) ^ °f rank ( m + L n ) such that 
Active(c') = _L, and State{c') = State(c). 

Proof. Let us assume that c 'm u = ^ ; '7[ k (Mu) c * s a run °^ ran ^ ( m ' n +l) such that Active(c) = 
_!_. Then, we can use the definition of DCPSs and Lemma lE.111 to show that there is a run 

c !mu = ^t k (Mu) c ' °^ ran ^ ( m + n ) sucn that Active(c / ) = _L, and State(c') = State(c). D 
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